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This book offers a comprehensive and integrative introduction to cybercrime. 
It provides an authoritative synthesis of the disparate literature on the various 
types of cybercrime, the global investigation and detection of cybercrime and 
the role of digital information, and the wider role of technology as a facilitator 


for social relationships between deviants and criminals. It includes coverage of: 


e key theoretical and methodological perspectives; 

® computer hacking and malicious software; 

© digital piracy and intellectual theft; 

® economic crime and online fraud; 

® pornography and online sex crime; 

© cyberbullying and cyberstalking; 

@ cyberterrorism and extremism; 

e the rise of the Dark Web; 

e digital forensic investigation and its legal context around the world; 
e the law enforcement response to cybercrime transnationally; 


© cybercrime policy and legislation across the globe. 


The new edition has been revised and updated, featuring two new chapters; the 
first offering an expanded discussion of cyberwarfare and information operations 
online, and the second discussing illicit market operations for all sorts of prod- 
ucts on both the Open and Dark Web. 

This book includes lively and engaging features, such as discussion ques- 
tions, boxed examples of unique events and key figures in offending, quotes 
from interviews with active offenders, and a full glossary of terms. It is supple- 
mented by a companion website that includes further exercises for students and 
instructor resources. This text is essential reading for courses on cybercrime, 
cyber-deviancy, digital forensics, cybercrime investigation, and the sociology 
of technology. 
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“The third edition of Cybercrime and Digital Forensics presents an updated and 
vital introduction to key topics in the study of cybercrime. The authors deliver 
an accessible textbook for students and a foundational resource for those new 
to the field, with expanded content on cyberwarfare and illicit markets, among 
other case studies. Cybercrime and Digital Forensics remains a comprehensive and 
must-read sourcebook in the field of cybercrime.” 


Anastasia Powell, Associate Professor of Criminology and Justice Studies, 
RMIT University, Australia 


“The new edition of Cybercrime and Digital Forensics continues to provide 
a foundation for the study of cybercrime and the government’s response to it. 
Moreover, the new material demonstrates that the authors have kept up with 
research and trends on cybercrime as they discuss the emergence of cyber- 
warfare and the role of the Dark Web in supporting illicit markets. As the 
demand for cybersecurity specialists grows, this book is a needed primer that 
covers theoretical, empirical, and practical knowledge for the next generation 


of professionals.” 


George W. Burruss, PhD, Department of Criminology and Cyber Florida, 
University of South Florida, USA 


“With its broad scope and the captivating style, this new edition of Cybercrime 
and Digital Forensics is a timely update of this seminal book, which remains a key 
reference point for anyone — scholars and professionals alike — looking for an 


introduction to cybercrimes.” 


Anita Lavorgna, PhD, SFHEA, Associate Professor in Criminology, 
University of Southampton, UK 


“Cybercrime is a complex phenomenon that blends technical, social and pol- 
icy dimensions interacting in novel ways. This book presents this complexity 
in an approachable format and highlights its most salient features to learners 
from different backgrounds. The authors distill decades of cybercrime expertise 
in a volume that enables the reader to link practical material with theoretical 
insights. The abundance of international examples also ensures this book pro- 
vides students with a truly global perspective on cybercrime.” 


Benoit Dupont, Professor of Criminology and Canada Research Chair in Cybersecurity, 


Université de Montréal, Canada 
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Chapter 


TECHNOLOGY 


AND 
CYBERCRIME 


Technology and Cybercrime 


Chapter Goals 


e Explain how technology has affected human behavior 

e Identify the difference between digital natives and digital immigrants 

e Discuss the three ways that technology can be abused by individuals 

e Recognize a subculture and their role in offending behaviors 

e Identify the differences between cyberdeviance, cybercrime, and 
cyberterror 

e Understand how computers and technology produce digital evidence 
and its value in criminal investigation 

e Explain the factors that make cybercrimes attractive to certain people 


e Explore the various forms of cybercrime that occur across the world 


Introduction 


The Internet, computers, and mobile technologies have dramatically reshaped 
modern society. Three decades ago, most individuals did not own a cell phone, 
individuals were not texting, emailing was uncommon, and personal comput- 
ers were still somewhat expensive pieces of equipment. Internet connectivity 
generally occurred through slow dial-up modems where individuals paid for 
Internet access by the hour. Video game systems used 16-bit graphics and did 
not connect to other devices to allow for gaming to be a communal activity. 
Individuals read books and newspapers rather than e-readers. If you were using 
Global Positioning Systems (GPS), you were probably not driving your personal 
vehicle, but rather operating a military system. 

Today, most of the world now depends on computers, the Internet, and cel- 
lular technology. Individuals now own laptops that are connected via Wi-Fi, 
smartphones, and one or more video game systems that may be networked. Cell 
phones have become a preferred method of communication for most people, espe- 
cially text messages. In addition, people have multiple email accounts and social 
networking profiles on multiple platforms for both personal and business use. 

It is amazing to consider that the world and human behavior have changed 
so quickly through the use of technology. In fact, there are now 4.57 billion 
Internet users worldwide, comprising 58.7 percent of the world’s population 
(Internet World Stats, 2020). Asian nations comprise half of the world’s Inter- 
net users, though only 53.6 percent of their overall population have sustained 


online access (Internet World Stats, 2020). By contrast, North American nations 


Technology and Cybercrime 


comprise only 7.6 percent of the world’s Internet user population, though 
94.6 percent of their overall population have access (Internet World Stats, 2020). 


The Importance of Technology in Modern Society 


The proliferation of technology has led to distinct changes in how individuals 
engage with the world around them. People now shop, communicate, and share 
information in digital formats, which was previously impossible. Additional 
changes in behavior are likely to continue in the face of technological innova- 
tions as they are developed and implemented. In fact, the sociologist Howard 
Odum referred to this process of behavior change in response to technolog- 
ical innovation as technicways (Odum, 1937; Parker, 1943; Vance, 1972). 
From Odum’s perspective, technicways replace existing behavior patterns and 
force institutional changes in society (Vance, 1972). For instance, if an individ- 
ual 30 years ago wanted to communicate with other people, he/she might call 
them, see them in person if possible, or more likely send a letter through postal 
mail. Now, however, that person would send a text, write an email, or send a 
direct message, or DM, on social media rather than talking to them over the 
phone or writing a letter through “snail mail.” 

The impacts of technicways are evident across all demographic groups in 
modern society. For instance, 81 percent of Americans own a smartphone as of 
2019, with substantial access among younger populations: 96 percent of 18- to 
29-year-olds have one (Pew Research Center, 2019). By comparison, evidence 
suggests 59.9 percent of the population of China and only 25.3 percent of India 
have smartphones (Newzoo, 2020). As these rates continue to increase, Internet 
use will change and directly impact the social and economic lives of individuals 
in each country and across regions of the world. 

This is evident in the fact that many people around the world utilize social 
media as a means to connect and engage with others in different ways. For 
instance, 69 percent of American adults use Facebook, though there has been 
substantial increase in the use of Instagram and LinkedIn as a means to commu- 
nicate (Perrin & Anderson, 2019). By contrast, WhatsApp is much more popular 
in a global context and is the number one messaging application across much of 
South, America, Western Europe, Africa, and some parts of Asia (Iqbal, 2020). 
Other services, such as QQ, have a much more region-specific user population 
(Bucher, 2020). 

Despite regional variations in use, technology has had a massive impact on 


youth populations who have never experienced life without the Internet and 
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computer-mediated communications (CMCs) like email and texting. 
Today, youth in the United States acquire their first cell phones at approxi- 
mately age 11, though 20 percent have one by age 8 (Robb, 2019). Similar use 
patterns are evident across the globe, with children in Germany receiving a 
phone between the ages of 6 and 13, while children in South Korea obtain them 
even earlier (Howard, 2017). 


TORE For more information on statistics of social media and technol- 


' ogy use, go online to: 


1. www.pewinternet.org/ 
2. https://www.cnn.com/2017/12/11/health/cell-phones-for-kids- 


parenting-without-borders-explainer-intl/index.html 


Technology has not simply shifted the behaviors of youth but has actually 
shaped and molded their behavior and worldview from the start. Most people 
born in the mid to late 1980s have never lived without computers, the Internet, 
or cell phones. As a consequence, they do not know a world without these 
devices and what life was like without these resources. Thus, Prensky (2001) 
argued that these youth are digital natives, in that they were brought into a 
world that was already digital, spend large amounts of time in digital environ- 
ments, and utilize technological resources in their day-to-day lives. For instance, 
virtually everyone (96 percent) aged 16-34 in the United Kingdom accesses the 
Internet on a mobile device (Office for National Statistics, 2018). Individuals 
aged 18-24 in the United States also use unique messaging apps at much higher 
rates than older groups, as 73 percent use Snapchat and 75 percent use Instagram 
(Perrin & Anderson, 2019). Similarly, 55 percent of all Indian males between 
the ages of 18 and 34 use WhatsApp almost every day (Steup, 2018). 

By contrast, digital immigrants are those who were born before the crea- 
tion of the Internet and digital technologies (Prensky, 2001). These individuals 
quite often need to adapt to the digital environment, which changes much more 
rapidly than they may be prepared for otherwise. This is especially true for many 
older individuals who were born decades before the creation and advent of these 
technologies. As a consequence, they may be less willing to immediately adopt 
these resources or utilize them in diverse ways. For instance, some resources may 
be more difficult for digital immigrants to understand because of the technologies 


employed or their perceived utility. For example, only 31 percent of US adults 


aged 50 and older were likely to use an app like Instagram, and 12 percent used 
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Snapchat (Perrin & Anderson, 2019). Similarly, only 28 percent of people aged 
65 years and older in the United Kingdom used the Internet on a mobile device 
(Office for National Statistics, 2018). Thus, digital immigrants have a much dif- 
ferent pattern of adoption and use of technologies relative to digital natives. 
The proliferation of technology in modern society has had a massive impact 
on human behavior. The world is being restructured around the use of CMCs, 
affecting the way that we interact with governments, businesses, and one another. 
In addition, technology use is creating a divide between generations based on the 
way individuals use technology in their day-to-day lives. At the same time that 
technology is altering how we live our daily lives, individuals are adapting var- 
ious technologies, such as computers and the Internet, to subvert their original 


beneficial designs and applications to commit modified and new forms of crime. 


Technology as a Landscape for Crime 


The continuing evolution of human behavior as a result of technological inno- 
vations has created unparalleled opportunities for crime and misuse. Over the 
last three decades, there has been a substantive increase in the use of technology 
by street criminals and novel applications of technology to create new forms 
of crime that did not previously exist. The World Wide Web and the Inter- 
net also provide a venue for individuals who engage in crime and deviance to 
communicate and share information, which is not otherwise possible in the real 
world. As a result, it is vital that we begin to understand how these changes are 
occurring, and what this means for offending in the twenty-first century. There 
are three key ways that computer and cellular technologies may be abused or 


subverted by offenders: 


1 as a medium for communication and the development of subcultures online; 

2 as a mechanism to target sensitive resources and engage in crime and devi- 
ance; and 

3 as an incidental device to facilitate the offense and provide evidence of crim- 


inal activity both online and offline. 


Technology as a Communications Medium 


Various forms of technology, such as telephony (often viewed as technolo- 


gies allowing long-distance voice communication), the Internet, and digital 


media, can be used as a means for individuals to communicate in a rapid and 


Technology and Cybercrime 


decentralized fashion across the globe. Computers, cell phones, and technolog- 
ical equipment can be obtained at minimal cost and used with a high degree of 
anonymity. In turn, criminals can use these devices to connect with others and 
share information that may be of interest. 

For example, the customers of prostitutes use web forums and chat rooms to 
discuss where sex workers are located, services provided, pricing, and the police 
presence in a given area (Holt & Blevins, 2007; Holt et al., 2008; Sharp & Earle, 
2003). This exchange of firsthand information is difficult to conduct in the real 
world, as there are no outward signs to otherwise suggest that someone is interested 
in or has visited a prostitute. In addition, there is a high degree of social stigma 
and shame surrounding paying for sex, so it is unlikely that someone would admit 
this behavior to another person in public (McKeganey & Barnard, 1996; O’Con- 
nell Davidson, 1998). The faceless, anonymous nature of the Internet, however, 
allows people to talk about such actions with little risk of harm or reprisal. 

The sale of illicit narcotics like cocaine, marijuana, and methamphetamines 
has also moved online through the development of markets, such as the famous 
Silk Road (see Chapter 12 for more information), where individuals buy and 
sell narcotics through various methods. The primary resource used by sellers and 
buyers are forums operating on the so-called Dark Web, which is a portion of 
the Internet that can only be accessed via the use of specialized encryption soft- 
ware and browser protocols. Individuals can only access these forums through 
the use of The Onion Router, or TOR service, which is a free proxy and 
encryption protocol that hides the IP address and location details of the user 
(Barratt et al., 2014; Dolliver, 2015). Additionally, the content of these sites 
cannot be indexed by Google or other search engines. This technology limits 
the ability of law enforcement agencies to eliminate illicit content because the 
hosting source cannot be identified through traditional means (see Chapter 12; 
Dolliver, 2015). 


For more information on TOR, including how it operates, go 


online to: https://www.torproject.org/about/overview.html.en 


The distributed nature of the Internet and CMCs enables individuals to con- 
nect to other people and groups that share similar likes, dislikes, behaviors, 
opinions, and values. As a result, technology facilitates the creation of subcul- 
tures between individuals based on common behaviors and ideals regardless of 
geographic or social isolation. From a sociological and criminological perspec- 


tive, subcultures are groups that have their own values, norms, traditions, and 
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rituals which set them apart from the dominant culture (Brake, 1980; Korn- 
blum, 1997). 

Participants in subcultures generate their own codes of conduct to struc- 
ture the ways they interact with other members of the subculture and different 
groups in society (Foster, 1990). In addition, membership in a subculture influ- 
ences individual behavior by providing beliefs, goals, and values that approve of 
and justify activity (Herbert, 1998). For instance, a subculture may emphasize 
the development of skills and abilities that may find less value in the general 
culture, like an ability to use multiple programming languages and manipulate 
hardware and software among computer hackers (Holt, 2007; Jordan & Taylor, 
1998; Steinmetz, 2015; Taylor, 1999). Members of a subculture also have their 
own argot or slang to communicate with others and protect their discussions 
from outsiders (Bilgrei, 2017; Holt et al., 2010a). The use of this language 
can serve as a practical demonstration of membership in any subculture. Thus, 
subcultures provide members with a way to gauge their reputation, status, and 
adherence to the values and beliefs of the group. 

There are myriad subcultures in modern society, many involving both online 
and offline experiences. However, not all subcultures are deviant. Individuals 
can also be a member of several subcultures at once. For instance, you may 
belong to a subculture of sports team fans (whether football, basketball, or any 
athletics) if you (1) enjoy watching their games, (2) know the statistics for your 
favorite players, (3) know the historic events in your team’s previous seasons, 
and (4) you debate others over who may be the best players in certain positions. 
Similar subcultures exist for gardening, fashion, cars, movies, and other behav- 
iors. Finding others who share your interests can be beneficial as it allows for 
social connectivity and a way to channel your interests in positive ways. 


For more examples of various online and offline subcultures and 


their swift evolutions, go online to: 


1. https://www.indusnet.co.in/10-internet-subcultures-need-know/ 
2. https:// www.afr.com/life-and-luxury/arts-and-culture/punk-s-not- 
dead-just-invisible-the-fashion-of-today-s-digital-tribes-20191206-p53her 


In much the same way, subcultures can emerge online and offline for those 
with an interest in certain forms of crime and deviance (Quinn & Forsyth, 
2005). Technology allows individuals to connect to others without fear of 


reprisal or social rejection and even enables individuals who are curious about 
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behavior or activity to learn more in an online environment without fear of 
detection (Blevins & Holt, 2009; Deshotels & Forsyth, 2020). New technolo- 
gies also enable the formation of and participation in multiple subcultures with 
greater ease than is otherwise possible offline. In fact, individuals can readily 
communicate subcultural knowledge through email and other CMCs, such as 
techniques of offending that may reduce their risk of detection from victims and 
law enforcement (Aldridge & Askew, 2017; Souleymanov et al., 2021). Because 
of the prominence of technology as a means to communicate with others, this 
book will focus extensively on the role of online subcultures to facilitate crime 


and deviance in virtual and real-world environments. 


Technology as a Target of or Means 
to Engage in Crime 


The second way that technology can be misused is much more insidious — as a 
resource for individuals to attack and to cause harm to individuals, businesses, 
and governments both online and offline. Many devices in our daily lives have 
the capability to connect to the Internet, from televisions to desktop computers, 
video game systems, thermostats, and security systems. These technologies con- 
tain sensitive bits of information, ranging from our shopping habits to usernames 
and passwords for bank and email accounts. Since these devices can communi- 
cate with one another, individuals can potentially gain access to this information 
through various methods of computer hacking (see Chapter 3 for more detail). 

While hacking is often thought to involve highly skilled individuals with a 
significant understanding of technology, the simple act of guessing someone’s 
email or computer password could be defined as a hack (Bossler & Burruss, 
2011; Skinner & Fream, 1997). In fact, research on college students suggests that 
between 10 and 25 percent of undergraduates have tried to guess someone else’s 
password (Holt et al., 2010c; Rogers et al., 2006; see also Donner, 2016). Gain- 
ing unauthorized access to personal information online is often key to defini- 
tions of hacking, as an individual is attempting to gain entry into protected 
systems or data (see Schell & Dodge, 2002; Steinmetz, 2015; Wall, 2001). In 
turn, they can use information acquired to engage in different forms of fraud or 


theft in online and offline spaces. 


For more information on creating passwords, go online to: http:// 


passwordsgenerator.net/ 
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Similarly, some hackers target websites and resources in order to cause harm 
or express a political or ideological message. Often, the hacker and activist com- 
munity use web defacement in order to spread a message and cause harm at 
the same time (Holt et al., 2017; Howell et al., 2019). Web defacements are 
an act of online vandalism wherein an individual replaces the existing HTML 
code for a web page with an image and message that they create. For example, a 
person might try to deface the website for the White House (www.whitehouse. 
gov) and replace the content with a message that they want others to see. 
Although this is an inconvenience and embarrassment to the site owner, it may 
be more malicious if the defacer chooses to delete the original content entirely. 

Defacements have become a regular tool for politically motivated hackers 
and actors to express their opinions and have been used around many hot- 
button social events. For instance, the Turkish hacker community began a 
widespread campaign of web defacements after the publication of a cartoon 
featuring an image of the prophet Mohammed with a bomb in his turban (Holt, 
2009; Ward, 2006). Many Muslims were deeply offended by this image, and 
Turkish hackers began to deface websites owned by the Danish newspaper that 
published the cartoon, along with any other site that reposted the image. The 
defacements were conducted in support of the Islamic religion and to express 
outrage over the way their faith was being portrayed in the popular media 
(Holt, 2009; Ward, 2006). Thus, motivated actors who want to cause harm or 


express an opinion may view various resources online as a target. 


= 
For more on web defacements and images of such content, go El ial 
online to: www.zone-h.org io 

a 


Defining Computer Misuse and Abuse 


Since technology can be used both as a communications medium and target for 
attacks against digital targets and infrastructure, it is essential to delineate what 
constitutes the abuse and misuse of technology. For instance, the term devi- 
ance is used to refer to a behavior that may not be illegal, though it is outside 
of the formal and informal norms or beliefs of the prevailing culture. There are 
many forms of deviance, depending on societal norms and societal contexts. 
For instance, texting and using Facebook while in class, movie theaters, or 
other settings may not be illegal, but it is disruptive and generally frowned upon 


by faculty and administrators. Therefore, texting and using Facebook could be 
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viewed as deviant in the context of certain situations and locations. Since the 
activity is engendered by technology, it is to be referred to as cyberdeviance. 

A more pertinent example of cyberdeviance is evident in the creation and 
use of pornography (see Chapters 7 and 8). The Internet has made it exceed- 
ingly easy for individuals to view pornographic images and videos as well as 
make these materials through the use of webcams, cell phone cameras, and 
digital photography. It is legal for anyone over the age of 18 to either access 
pornographic images or perform in these films and media. If the larger com- 
munity shares the view that pornography is morally wrong, then viewing these 
materials may be considered deviant in that area. Therefore, it is not illegal to 
engage in this activity; rather it simply violates local norms and belief systems, 
making it a deviant behavior. 

Activities that violate codified legal statutes change from being deviant to 
criminal acts. In the context of pornography, if an individual is under the age 
of 18 in the United States, they are not legally allowed to either create or view 
pornographic images. Therefore, such an act is considered a crime because it 
carries legal sanctions. The criminal statutes in the United States at both the state 
and federal levels recognize a variety of offenses in the real world. 

The rapid adoption and use of technology in order to facilitate criminal 
activity, however, have led to the creation of several terms in order to properly 
classify these behaviors. Specifically, cybercrime and computer crime emerged a 
few decades ago to refer to the unique way that technology is used to facilitate 
criminal activity. Cybercrime refers to crimes “in which the perpetrator uses 
special knowledge of cyberspace,” while computer crimes occur because “the 
perpetrator uses special knowledge about computer technology” (Furnell, 2002, 
p. 21; Wall, 2001). 

In the early days of computing, the difference between these terms was 
useful to clarify how technology was incorporated into the offense. The fact 
that almost every computer is now connected to the Internet in some way has 
diminished the need to segment these two acts (Wall, 2007). In addition, they 
have become nearly synonymous in both academic circles and popular media. 
As a result, this book will use the term “cybercrime” due to the range of crimes 
that can occur through the use of online environments and the massive number 
of computers and mobile devices that are connected to the Internet. 

The borderless nature of the Internet complicates the criminal justice 
response to crime and deviance since the ways that nations define an act do 
not generally hinder individuals from accessing content. Using the example of 
pornography, it is legal to produce and access this content in the United States 
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and most other parts of the globe. Islamic majority nations like Iran and Saudi 
Arabia, however, have banned and made it illegal to access pornography due to 
their religious beliefs (Shishkina & Issaev, 2018). Other countries like Sweden, 
however, place minimal restrictions on the production of pornographic con- 
tent, including images of animals or “bestiality.” Although it is illegal to create 
or view this content in the United States and most other nations, individuals can 
access bestiality, violent, or unusual pornographic material from across the globe 
regardless of their nation’s laws, due to the connectivity afforded by the Internet 
(Brenner, 2008; Wall, 2007). Thus, it is difficult to restrict or enforce local laws 
on individual conduct because of the ability to access content globally. 

The intersection of cybercrime and cyberdeviance is also related to the 
emerging problem of cyberterrorism (see Figure 1.1 for detail; see also Chap- 
ter 10). This term emerged in the mid-1990s as technology began to play an 
increasingly significant role in all aspects of society (Britz, 2010; Denning, 
2001). There is no single accepted definition for cyberterrorism, though many 
recognize this behavior as the use of digital technology or CMCs to cause harm 
and force social change based on ideological or political beliefs (Brenner, 2008; 
Britz, 2010). Cyberattacks driven by an ideological or political agenda have 
been observed through the last two decades, with individuals targeting sensitive 
information, computer systems, and networks around the world (Holt et al., 
2021). Criminals may also attack these targets using similar tactics, making it 
difficult to separate acts of cyberterror from cybercrime (Brenner, 2008; Holt 
et al., 2021). 


CYBERCRIME CYBERDEVIANCE 


CYBERTERRORISM 


Fig. 1.1 Venn 
diagram of 
cybercrime, 
cyberterrorism, 
and 
cyberdeviance 
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For more information on the technologies supporting power 
grids, go online to: 


1. www.tofinosecurity.com/blog/scada-cyber-security-international-issue 
2. https://www.allaboutcircuits.com/technical-articles/an-introduction- 


to-scada-systems/ 


In order to more accurately classify these online phenomena, it is necessary 
to consider both the motive of the attacker and the scope of harm caused. For 
instance, criminal acts often target single individuals and may be motivated by 
economic or other objectives, whereas terrorist attacks are often driven by a 
political motive and are designed to not only hurt or kill innocents but also to 
strike fear into the larger population (Britz, 2010; Jarvis & Macdonald, 2015). 
It is not always possible to clearly identify the nature of certain acts as being 
deviant, criminal, or terroristic based solely on the nature of the event (Holt 
et al., 2021). Additional context is needed to assess the potential motivation for 
the action, including the target of the attack and the way in which the attackers 
express their reasons for the incident. For instance, a data breach targeting a 
company could be performed for an economic motivation, such as to use cus- 
tomer credit card data to engage in fraud. It may, however, be ideological in 
nature if the target fits into the ideological beliefs of a specific extremist or rad- 
ical group, and they post public comments to suggest they performed the attack 
in order to harm or embarrass the company (Britz, 2010; Jordan & Taylor, 
2004). Such hacks have been reported by far-left groups like the Animal Liber- 
ation Front since the mid-2000s and are examples of cybercrime performed in 
support of an ideological belief system that may be considered acts of cyberter- 
rorism (see Holt et al., 2021). 

In addition, the communications capability afforded by the Internet creates 
an interesting intersection between cyberdeviance and cyberterror. For exam- 
ple, members of extremist and hate groups utilize social media and encrypted 
applications to connect with others across the globe. In fact, various far-right 
extremist groups now depend upon tools like Telegram as a means to commu- 
nicate in more covert ways, as well as promote their agenda (see Chapters 10 
and 11 for more detail). The laws of a given country may not allow such lan- 
guage, as in Germany where it is illegal to post Nazi-related content (Shishkina 
& Issaev, 2018). In the United States, though, such speech is protected under 


the First Amendment of the Constitution; therefore, the act of using online 
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forums to express an opinion largely unsupported by society is deviant, rather 
than illegal, behavior. 


What Makes Cybercrime and Deviance Attractive? 


The rise of cyberdeviance, cybercrime, and cyberterror has led many to ques- 
tion why some people choose to engage in wrongdoing in virtual environments. 
There are several unique factors that may account for offending online, includ- 
ing, but not limited to, the availability of technology in the modern world, 
the ease of committing certain forms of cybercrime, technology acting as a 
force multiplier, the ability to decrease detection by law enforcement via online 
anonymity, and challenges in international extraditions. Each of these issues is 
discussed below and throughout the textbook as recurring themes. 

First and foremost, the ubiquity of technology makes it easy for individuals 
to gain access to the tools necessary to offend with relative ease. The prices 
of computers have dropped substantially over the last decade, making it very 
easy to acquire such equipment. Smaller portable computers, like the iPad and 
smartphones, which can connect to the Internet through cellular technology, 
have also become quite common. As a result, offenders can readily acquire and 
access information from anywhere through these resources. If a person cannot 
afford to buy these devices on their own, they can always use computers in 
Internet cafes and public libraries for free or a small cost. Thus, there are mini- 
mal barriers to computer technology globally. 

In addition, there is a wide range of cybercrimes that can be performed 
dependent upon the individual’s technical skill. Some forms of cybercrime 
require a good deal of skill and proficiency, such as the creation and dissem- 
ination of malicious software. Other forms of cybercrime may be performed 
with minimal investment on the part of the offender. For instance, anyone can 
download pirated music or movies from online environments or send threat- 
ening emails. 

Technology also acts as a force multiplier in that computers and CMCs allow 
a single person to engage in crimes that otherwise would involve multiple peo- 
ple and complex schemes in order to target such a significant number of victims 
(Button & Cross, 2017; Kigerl, 2020). For instance, if a criminal attempted to 
rob a person in the real world, they must often target single individuals due to 
the difficulty in intimidating and managing groups of people. The offender must 
also try to determine in advance if the individual he is attempting to rob has 


money, jewelry, or other goods that are of value. 
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In online environments, offenders can target thousands of victims at a time, 
worldwide, within seconds. Online fraudsters regularly send out unsolicited 
emails, called spam, to thousands of victims using addresses harvested from 
information posted on public websites (Holt & Graves, 2007; Kigerl, 2020). 
Public universities often post the addresses of professors, faculty, and staff on 
their websites. In turn, individuals can copy and collate these addresses into lists 
and use them to send a variety of different spam messages. Thus, fraudsters 
increase the likelihood of success by targeting thousands of victims at once with 


information that is often publicly available (see Chapter 6). 


For more information on the rate of spam distribution, go online 
to: https://securelist.com/all/?category=442 


The risk of detection from law enforcement is much lower in online envi- 
ronments than in the real world. Offenders in the real world must take several 
steps to reduce the likelihood that their actual identity can be determined. For 
example, robbers may wear a mask or baggy clothing to conceal their face and 
build (e.g., Wright & Decker, 1997). They may also try to disguise their voice 
by speaking in a higher or lower tone. Victims may be able to recall information 
about the offender and video cameras may capture the incident on film, making 
it harder to hide the offense from police. 

These issues are largely absent in online environments, as it is easier for offend- 
ers to conceal their real identity (Barratt, 2012; Holt et al., 2017). The faceless 
nature of the Internet makes it easy for individuals to hide their gender, age, or 
race in various ways. A profile in a social networking site like Facebook or email 
account can be created using false information through Google, Yahoo, or Hot- 
mail. This false account can be used to send threatening or harassing messages 
to others to help conceal their true identity (Bocij, 2004; Reyns & Fissel, 2020). 

Similarly, various technological resources are designed to hide a person’s 
location from others. For example, Tor, the service used by individuals to 
access the Silk Road is a form of a proxy server that can be used to hide a com- 
puter’s location by acting as an intermediary between a computer and the servers 
and systems it connects to through the Internet. If we try to access Google from 
a PC using a proxy, the command will be routed through a service that will 
make the request on our behalf and send the information back to us. In turn, the 
servers at Google will not register our computer as the one making the request, 
but rather associate it with the proxy server. Some offenders are even able to 
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route their web and email traffic through other people’s computers in order to 
minimize the likelihood that they are caught (see Chapter 4 for more detail). 


For more on proxy servers, go online to: 


1. https://www.varonis.com/blog/what-is-a-proxy-server/ 


2. https://www.fossmint.com/free-proxy-for-anonymous-web-browsing/ 


Cybercrimes are also attractive for some actors based on the laws of their 
nation. Since individuals can target victims across the world, local laws make a 
significant difference regarding who and what an offender targets. Many indus- 
trialized nations have laws against cybercrimes, increasing the risk of prosecu- 
tion and investigation for offenders if caught (Brenner, 2008; de Arimatéia da 
Cruz, 2020). Therefore, attacking people within that country may increase the 
likelihood of being prosecuted. If; however, a country does not allow their citi- 
zens to be extradited to another country to face prosecution for crimes, then the 
actor cannot be successfully investigated (Brenner, 2008). For instance, there is 
no treaty allowing Russian citizens who engage in attacks against US citizens to 
be brought to the United States for prosecution. Russian criminals cannot be 
extradited for these offenses and may generally receive no punishment for their 


actions (see Box 1.1 for an example). In turn, it is extremely difficult to deter or 


Box 1.1 Getting Around Russian Extradition Laws 


FBI Agent Charged with Hacking 


http://www.nbcnews.com/id/3078784#.WNbZom_ytQI 


In a first in the rapidly evolving field of cyberspace law, Russia’s coun- 
terintelligence service on Thursday filed criminal charges against an 
FBI agent it says lured two Russian hackers to the United States, then 
illegally seized evidence against them by downloading data from their 
computers in Chelyabinsk, Russia. 


This article provides interesting insights into the challenges posed by 
cybercrime investigations that cross national boundaries. 
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sanction cybercriminals in foreign countries and may encourage attacks against 
certain countries with no consequences. 

By contrast, some developing nations may not have laws against computer 
misuse. If there are no laws, then the nation serves as a sort of “safe haven” for 
actors where they can operate with minimal risk of legal sanctions (Brenner, 
2008; Holt, 2003). This was exemplified in the creation of the LOVEYOU 
virus that spread around the world in 2000. This form of malware attacked 
millions of computers and spread through infected email attachments, effec- 
tively crippling the Internet at the time (Poulsen, 2010). The program started 
in the Philippines on May 4, 2000 and spread across the world in a single day. 
It is thought to have been created by a Filipino college student named Onel 
de Guzman, based on the start of the program from Manila and his interest 
in hacking (Poulsen, 2010). At the time, there were no laws against writing 
malware in the Philippines, making prosecutors unable to pursue de Guzman. 
Thus, the absence of laws can make it extremely difficult to combat cybercrimes 
internationally. 

Taken as a whole, the global reach of the Internet has created substantial 
difficulties for law enforcement agencies at home and abroad to enforce 
cybercrime laws globally. The structure of policing, especially in the United 
States, establishes guidelines for the investigation of crimes at the local, 
state, and federal levels. Offenses that occur within a single jurisdictional 
boundary are often the responsibility of local municipal police departments 
or sheriffs’ departments, while those that cross state or national boundaries 
are handled by state or federal agencies. Many cybercriminals may not live 
within the same region as their victim (Hadzhidimova & Payne, 2019), 
though even if they were in the same region, a victim may have no idea 
where the offender actually resides. This creates significant confusion as to 
the appropriate agency to contact and diminishes the amount of cybercrime 
reported to law enforcement (Holt et al., 2015; 2020b). In fact, this under- 
counting is referred to as “the dark figure” of cybercrime, in that the true 
number of offenses is unknown. 

One reason for the lack of reporting is the inherent difficulty in recogniz- 
ing when illegal activities have taken place. Individuals may be completely 
unaware that they have been the victim of cybercrime until it is too late. For 
example, failures in computer hardware and software may be either the result 
of an error in the equipment or a direct result of criminal activities designed 
to hide their occurrence. Many in the general public do not have the skills 
necessary to discern the root cause, making it hard to know when some sort 
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of compromise has taken place. Since cybercriminals attempt to target as many 
victims as possible, it has also been challenging to identify clear risk patterns 
for certain cyber offenses, such as being the victim of malicious software (Holt 
& Bossler, 2015; Maimon & Louderback, 2019). Finally, protective software 
programs designed to reduce individual risk of victimization do not always 
work. This is due in part to user error, such as misconfiguring the software or 
not updating it properly which increases the risk of infections. As a result, anti- 
virus software are not a total solution to reduce the risk of compromise (Holt 
& Bossler, 2015). 

The embarrassment, shame, or harm that may come from reporting cyber- 
crime victimization also reduces the likelihood of contacting law enforcement. 
For instance, individuals are often targeted for what are called romance scams, 
wherein a fraudster develops a romantic, emotional relationship with a person 
and gets the individual to send them money over time (Button & Cross, 2017). 
Victims of these scams often feel substantial shame and embarrassment over their 
experience, not only because of the money lost but over the emotional trauma 
experienced by the betrayal of someone they thought loved them (Button & 
Cross, 2017). Additionally, when they report their experiences to police, they 
often report feeling blamed by police because of their complicity in transferring 
funds to the fraudster (Button & Cross, 2017). 

Taken as a whole, technology affords multiple unique advantages for 
offenders that are not necessarily present in the real world. Technology is 
readily available across the globe, providing offenders widespread access to 
resources. The number of people online provides a wealth of prospective 
victims that can be affected with greater ease than is possible in the real 
world. Technology also offers people the ability to hide their actual identity 
behind a variety of false names and locations, making it difficult to deter- 
mine who is responsible for a criminal incident. Finally, the different legal 
structures and cooperative agreements in place across the globe make it dif- 
ficult to successfully prosecute cybercrimes. As a result, individuals who 
engage in cybercrime and deviance face a much lower risk of detection and 
arrest and may experience greater monetary or emotional rewards from 


cybercrime. 


For more information on the challenges of prosecuting cybercrimes, 


go online to: https://www justice.gov/archives/opa/blog/ensuring-tech- 


savvy-criminals-do-not-have-immunity-investigation 
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Technology as Evidence 


The third and final way that technology may be used in the course of an offense 
is through its incidental role or involvement in a crime. In this case, the com- 
puter may either be involved in the commission of a crime or is being used 
merely as a storage device (Sachowski, 2018). For instance, the presence of 
child pornography on a laptop or cell phone suggests that it is incidental to the 
offense. This information, wherever it is stored, constitutes digital evidence, 
defined as information that is either transferred or stored in a binary form 
(Sachowski, 2018). Digital evidence can be anything from the browser history 
of an individual to the emails, chat logs, photos present on mobile phones, GPS 
devices, IoT devices, and cell phone cameras of both victim and offenders (see 
Chapter 15). Computers, in the traditional sense, are no longer the only devices 
capable of sending emails, chatting, and browsing the Internet. Tablets, music 
players, and various other devices can be connected to the Internet and provide 
some evidence of an individual’s behaviors. 

There are several valuable examples that help clarify what is digital evi- 
dence and when it may be pertinent for various forms of crime both online 
and offline (Maras, 2012; Sachowski, 2018). For example, BTK (Bind, Tor- 
ture, Kill) was a serial killer in Kansas (United States) from 1974 until 2005 
when he was arrested and convicted of ten homicides (Williams & Landwehr, 
2006). The killer murdered ten people in Kansas between 1974 and 1991 
and then went dormant, though he constantly wrote letters to the media and 
police describing his exploits. The investigation went cold, though the BTK 
Killer indicated that he had committed another murder that had not been 
attributed to him. 

Police then began communicating directly with BTK, when the killer asked 
if it was possible to trace his identity on the basis of data on floppy disks. The 
agency erroneously said that they could not, and BTK sent them a disk with a 
document discussing his behaviors. Using specialized computer forensic soft- 
ware to help process the data and evidence located on the disk, investigators 
determined the location of the computer where the disk had been opened, 
as well as the person who created the document. In turn, they were able to 
develop detailed information about the killer and gather enough circumstan- 
tial evidence to suggest a prospective identity, which turned out to be a man 
named Dennis Rader. He was subsequently arrested and pled guilty to the mur- 
ders, receiving ten consecutive life sentences, one for each murder (Williams & 
Landwehr, 2006). 
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Digital evidence can also be derived from online sources that may be pres- 
ent on websites and social media. In fact, digital evidence collected from social 
media sites, such as Facebook and Twitter, has been influential in law enforce- 
ment over the last few years. Following the Vancouver Canucks’ loss to the 
Boston Bruins in the Stanley Cup finals in 2011, a massive riot broke out in 
Vancouver with fans setting vehicles on fire, breaking windows, looting stores, 
and dancing atop overturned cars (CBC News, 2011). Within hours of the riot, 
police received over 3,500 emails that included videos, photos, and web links 
to various social media sites. In addition, a “Vancouver Riot Pics,” Facebook 
page was created to identify those individuals involved in the riots by allowing 
the public to “tag” the pictures and videos (Leger, 2011). More than 100 people 
were arrested through the assistance of social media. 

With virtually every crime incorporating some form of digital evidence, it 
is up to law enforcement to be able to identify the possible sources of infor- 
mation and the locations where such information may be found. Various 
peripheral devices like flash drives, CDs, DVDs, and even gaming systems 
may contain digital evidence that can be collected. Some companies even 
produce removable storage media that are easily disguised, such as a pair of 
sunglasses or a wristband that contains a flash drive. With digital devices 
increasingly being used to target, act as a tool, or provide support for criminal 
activities, law enforcement and investigators must understand the nature of 


the digital crime scene. 


For more on hidden media devices, go online to: www.trendhunter. 


com/slideshow/disguised-usb-drives 


A Typology of Cybercrime 


In light of the various ways that technology engenders crime and deviance as 
well as fosters unique tactics for offending, it is necessary to understand the 
wide range of behaviors that constitute cybercrime. David Wall (2001) cre- 
ated one of the most recognized typologies of cybercrime, which encapsulates 
behavior into one of four categories: (1) cyber-trespass; (2) cyber-deception and 
theft, (3) cyber-porn and obscenity, and (4) cyber-violence. These categories 
reference the wide range of deviant, criminal, and terrorist behaviors that have 
emerged utilizing technology, as well as the subcultures supporting offenders 


throughout the world. 


Technology and Cybercrime 


20 


Cyber-Trespass 


The first category is cyber-trespass, referring to the act of crossing bounda- 
ries of ownership in online environments. This may seem confusing at first. If 
you go to a coffee shop or restaurant, you may notice they offer free Wi-Fi. 
Their network probably has a name that they chose which identifies their net- 
work and indicates who manages and is responsible for that space. In order to 
use the service, you must join their network and accept the terms of service 
that may come up when you open your web browser. In this instance, the cof- 
fee shop owns and manages this wireless network but allows others to use the 
connectivity. By contrast, if the shop did not offer connectivity to custom- 
ers, but you attempt to join and use their Wi-Fi anyway, you are trespassing 
because you are trying to break into the network that they own without the 
company’s permission. 

The issue of ownership is critical in instances of trespass; especially for 
computer hackers who often attempt to access computer systems, email 
accounts, or protected systems that they do not own (Steinmetz, 2015). 
Many in the general public recognize hackers for their involvement in crim- 
inal acts of trespassing sensitive boundaries of ownership, contributing to the 
belief that hackers cause significant harm to citizens, industry, and govern- 
ment alike. Though not all hackers engage in crime (Steinmetz, 2015), those 
who do cost individuals and corporations a great deal of money each year. 
Individuals who are interested in computer hacking operate within a large 
online subculture with participants from across the globe (Leukfeldt et al., 
2017). They often come together online to discuss various techniques of 
hacking and their attitudes toward hacking with or without permission from 
system owners (Holt, 2007; Leukfeldt et al., 2017). Because not all hackers 
engage in crime, there is a rift within the subculture based on an individu- 
al’s willingness to engage in acts of cyber-trespass in support of hacking (see 


Chapter 3 for more detail). 


Cyber-Deception/Theft 


The second category within Wall’s (2001) typology is cyber-deception 
and theft, which can extend from hacking and other forms of cyber-trespass. 
This category includes all the ways that individuals may illegally acquire 
information or resources online and often goes hand in hand with tres- 


pass. For instance, criminals can use email messages to acquire bank account 
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information from victims through the use of phishing messages (Leukfeldt 
et al., 2017). In this case, a criminal sends a message claiming to be from a 
bank or financial institution which needs the prospective consumer to val- 
idate their account information by clicking on a web link provided in the 
message. The individuals are then sent to a fraudulent website that resembles 
the actual financial institution and are asked to enter in their bank account 
username, login, and other sensitive information (Leukfeldt et al., 2017). This 
data is then stored and used by the criminal to engage in fraud or resold to 
others through an online black market for stolen data. These crimes are par- 
ticularly costly for consumers and businesses, as a data breach resulting from 
phishing or other means can cost an average of $8.19 million in the United 
States alone (IBM, 2019). 

The problem of digital piracy is also included in cyber-theft, encompassing 
the illegal copying, using, or distributing of digital media, such as computer 
software, digital sound recordings, and digital video recordings, without the 
explicit permission of the copyright holder (Lee et al., 2018). Almost 40 percent 
of consumers in 18 of the world’s leading markets obtained their music through 
digital piracy (IFPI, 2018). The Recording Industry Association of America’s 
website reports a 2007 study that estimated that music piracy costs the music 
industry $12.5 billion and 71,000 jobs (Siwek, 2007). The Business Software 
Alliance (2018) estimated that software piracy costs $52 billion in 2017. These 
estimates should be interpreted with caution as they come from businesses or 
advocacy groups who have financial incentives for bringing attention to the 
issue of digital piracy and may incorrectly formulate that a pirate would have oth- 
erwise purchased the movie, show, song, video game, or piece of software (Yar 
& Steinmetz, 2019). 


For more information on the problem of software piracy, go online 


to: https://gss.bsa.org/ 


The problem of piracy appears to be facilitated in large part by the sub- 
culture of pirates operating online (see Chapter 5 for further discussion). The 
participants in this subculture help break copyright protections on DVDs, 
Blu-ray disks, and software and distribute these materials online. In fact, indi- 
viduals can access pirated media and software through various outlets, includ- 
ing file-sharing services, torrents, and websites (Cox & Collins, 2014; Holt & 


Copes, 2010). Participants in this subculture also encourage piracy by sharing 
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their attitudes toward copyright law and minimizing the harm caused by pirat- 
ing media (Steinmetz & Tunnell, 2013). Many young people believe piracy 
is an acceptable victimless behavior that has little impact on artists or private 
industry (Brown, 2016; Hashim et al., 2018; Steinmetz & Tunnell, 2013). 
Thus, cyber-deception and theft involves multiple activities that cause signifi- 


cant financial harm. 


Cyber-Porn/Obscenity 


The third category in Wall’s typology of cybercrime is cyber-porn and 
obscenity, representing the range of sexually expressive content online. As 
noted earlier, sexually explicit content is defined differently based on location. 
Thus, porn and obscenity may be deviant or criminal based on local laws. The 
relatively legal nature of adult pornography has enabled the development of 
an extremely lucrative industry, thanks in part to the availability of streaming 
web content and high-speed connectivity (Deshotels & Forsyth, 2020; Lane, 
2000). In addition, amateurs are increasingly active in the porn industry due 
to the ease with which individuals can produce professional quality images and 
media through HD digital cameras, web-enabled cameras, and other equip- 
ment (Deshotels & Forsyth, 2020; Lane, 2000). While viewing pornographic 
content is not illegal for individuals over the age of 18, accessing certain con- 
tent, such as violent or animal-related material, may be criminal depending 
on local laws. 

The ability to access pornographic content has also enabled the development 
of online subcultures focused on various deviant sexual activities. Individuals 
with niche sexual fetishes can identify multiple outlets to discuss their interests 
with others in web forums, email lists, and online groups that engender the 
exchange of information in near real time (Deshotels & Forsyth, 2020). In turn, 
these spaces help to make people feel they are part of a larger group that vali- 
dates their beliefs and attitudes. 

Sexual subcultures can also move into criminal activity when the actors 
victimize children and adults either online or offline. For instance, prostitutes 
increasingly utilize the Internet to advertise their services and keep in touch with 
clients (Cunningham & Kendall, 2010; DeAngelo et al., 2019). The customers 
of sex workers also utilize this technology in order to discuss their experiences, 
provide detailed accounts of their interactions, and warn others about police 
activities in a given area (Holt & Blevins, 2007; Sharp & Earle, 2003). Simi- 


larly, pedophiles who seek out sexual relationships with children frequently use 
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CMCs in order to identify and share pornographic and sexual images (Deshotels 
& Forsyth, 2020; Jenkins, 2001; Quayle & Taylor, 2002). They may also use 
forums and instant messaging to connect with children in an attempt to move 
into offline relationships (Wolak et al., 2003, 2004). 


Cyber-Violence 


The final form within Wall’s typology is cyber-violence, referring to the abil- 
ity to send or access injurious, hurtful, or dangerous materials online. This may 
encompass emotional harm such as embarrassment or shame, and in limited cir- 
cumstances physical harm through suicidal ideation (Hinduja & Patchin, 2015). 
For example, the volume of information available through social networking 
sites, coupled with frequent use of CMCs, has increased the likelihood that 
individuals will be bullied, harassed, or stalked online (Hinduja & Patchin, 2015; 
Reyns & Fissel, 2020). Individuals from various age-groups are increasingly 
receiving threatening or sexual messages via email, instant message, or texts 
(Reyns & Fissel, 2020; Smith et al., 2017). People can also use CMCs to post 
embarrassing video, images, and text about another person for the public to see. 
In fact, technology has greatly increased the likelihood of emotional or psy- 
chological harm resulting from these messages (see Chapter 9; Duggan, 2017; 
Lenhart et al., 2016). 

Various extremist groups with their own subcultural norms and values uti- 
lize the Internet in order to promote their beliefs and connect interested parties 
together (see Chapter 10 for details). Social media sites like Facebook, video 
sharing sites like YouTube, and various web forums are used by extremist 
groups to promote their ideological beliefs (Hamm & Spaaij, 2017; Scrivens 
et al., 2020; Weimann, 2011). For instance, Dylann Roof shot and killed nine 
African Americans in a church in Charleston, South Carolina, on June 17, 2015 
(Hankes, 2015). His attack was racially motivated, and it was discovered shortly 
after his arrest that he operated a website where he posted pictures of himself 
with guns, Confederate flags, and neo-Nazi and white supremacist parapher- 
nalia, along with a manifesto explaining his views. He also posted on a white 
supremacist web forum called The Daily Stormer and used it as a vehicle to 
express his racist beliefs (Hankes, 2015). 

In addition, extremist groups have utilized the Internet in order to engage in 
attacks against governmental targets worldwide. Hackers associated with various 
jihadist groups around the world have attempted to engage in Distributed 


Denial of Service (DDoS) attacks against governments and private 


23 


Technology and Cybercrime 


24 


businesses (Ashok, 2016; Hamill, 2014). In a DDoS attack, individuals send 
multiple requests to servers that house online content to the point where these 
servers become overloaded and are unable to be used by others. As a conse- 
quence, these attacks can completely knock a service offline, causing compa- 
nies to lose money and, potentially, customer confidence. For instance, the Izz 
ad-Din al Qassam Cyber Fighters engaged in a series of cyberattacks against 
various US financial institutions in 2012 and 2013 (Hamill, 2014). Similarly, the 
hacker group Anonymous used DDoS attacks in order to stage protests against 
government, industry, and civilian targets (Correll, 2010; Poulsen, 2011). 
Thus, the use of technology has expanded the capability of extremist groups 
to affect populations and targets well beyond their overall capacity in the real 
world. 


Overview of the Textbook 


Given the range of criminal and deviant acts that are enabled by the Internet 
and CMCs, it is critical that we understand as much about these phenomena 
as possible. Thus, this book will explore the spectrum of cybercrimes in detail, 
considering how real-world crimes have incorporated technology, as well as 
the unique forms of offending that have emerged as a direct result of tech- 
nology. In addition, each chapter will consider the unique subcultures that 
have emerged in online environments around a form of deviance, crime, or 
a specific ideology. The subcultural norms of each group will be explored in 
order to understand how involvement in this subculture affects behavior both 
online and offline, as well as its influence on attitudes toward crime and devi- 
ance. Finally, statutes in the United States and abroad that have been created 
to address these issues will be covered, along with the local, state, national, and 
international law enforcement agencies that have responsibilities to investigate 
and enforce those laws. 

Chapter 2: Law Enforcement, Privacy, and Security in Dealing with Cybercrime 
provides an overview of the various entities involved in policing cybercrimes. 
These entities include traditional local, state, and federal law enforcement agen- 
cies as well as organizations and industry bodies that actively attempt to mitigate 
cybercrimes without a legal mandate from the state. 

Chapter 3: Computer Hackers and Hacking explores computer hacking in 
depth, including its role in attacks against individuals and corporations alike. 
Chapter 4: Malware and Automated Computer Attacks explores the problem of 


malicious software and its evolution over time. Chapter 5: Digital Piracy and 
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Intellectual Property Theft considers the issue of digital piracy, as well as the use of 
the Internet to steal intellectual property, such as algorithms and design plans, 
from citizens, companies, and governments. Online fraud and theft, including 
the use of email scams to acquire financial information from unsuspecting vic- 
tims, are further explored in Chapter 6: Online Fraud. 

Chapter 7: Pornography, Image-Based Sexual Abuse, and Prostitution covers a 
wide variety of online sexual behavior, including pornography, how the Inter- 
net has affected traditional prostitution, and how the criminal justice system has 
attempted to evolve to address these issues. Chapter 8: Child Sexual Exploitation 
Material Offenses considers sexual crimes against children, including child moles- 
tation and the creation, distribution, and viewing of child sexual exploitation 
materials, or CSAM. 

Chapter 9: Cyberbullying, Online Harassment, and Cyberstalking investigates 
the significant interpersonal forms of violence of online harassment, cyberbully- 
ing, and cyberstalking. Chapter 10: Online Extremism and Cyberterror explores the 
use of technology to spread hate speech and extremism across the globe. Chap- 
ter 11: Cyberwarfare and Information Operations Online examines the concept of 
cyberwarfare in practice and details how nation-states and individuals intersect 
to cause harm across the globe. 

Chapter 12: Illicit Market Operations Online discusses the ways that all manner 
of illicit goods now move through online channels on the open and Dark Web, 
from drugs and identity documents to cybercrime tools. 

Chapter 13: Cybercrime and Criminological Theories provides the reader with an 
in-depth examination of whether traditional criminological theories can help us 
understand why individuals commit the wide range of behaviors that is encom- 
passed in cybercrime. It will also explore the idea of whether new cybercrime 
theories are needed or whether our current stock of criminological theories is 
adequate in explaining these “new” forms of crime. 

Chapter 14: Evolution of Digital Forensics elaborates the concept of digital 
forensics and the process of seizing evidence from various devices. Chapter 
15: Acquisition and Examination of Forensic Evidence details the various tools used 
in the process of evidence analysis, as well as the techniques involved in data 
recovery and investigation generally. Chapter 16: Legal Challenges in Digital 
Forensic Investigations focuses on the process of evidence presentation in court, 
and the laws that affect what is admissible and when by an analyst. 

Finally, Chapter 17: The Future of Cybercrime, Terror, and Policy considers 


the future of cybercrime with a discussion of the ways that the global nature of 


technology hinders our ability to effectively regulate these offenses. 
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Key Terms 


Computer crime 
Computer-mediated communications (CMCs) 
Cybercrime 

Cyber-deception 

Cyberdeviance 

Cyber-porn 

Cyberterrorism 

Cyber-trespass 

Cyber-violence 

Deviance 

Dark Web 

Digital evidence 

Digital immigrant 

Digital native 

Distributed denial of service attack 
Incidental 

Phishing 

Proxy server 

Spam 

Subculture 

Technicways 

The Onion Router, or TOR service 
Web defacement 


Discussion Questions 


1. Think carefully about your current access to technology. How many lap- 
tops, desktops, tablets, and mobile devices do you own? How much time 
do you spend online? How would you compare your use of technology 
to your peers’? 

2. Take a few moments to think critically about the way in which you 
share information with the world through online environments. How 
many social media accounts do you have and on how many different 
platforms? Do you cautiously share personal information? How much 
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detail do you place about yourself in posts on any social media platform? 
Do you use the same credit card for all online purchases? How often do 
you pirate media? Keeping this in mind, detail the various ways in which 
you could become a victim of as many forms of cybercrime as is possible. 


Go 


. Do you belong to any online or offline subcultures? What are they, and 
how do you think they affect your activities and attitudes toward the 
world around you? 

4. How much overlap do you see between real-world crimes and cyber- 

crimes? Should we have distinct terms to recognize crime or deviance 

in online environments, or should all offenses just be classified as crimes 


regardless of where and how they occur? 
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Chapter Goals 


e Recognize the responsibilities of local, state, and federal law enforce- 
ment agencies in responding to domestic and international cybercrimes 

e Understand the different agencies that respond to cyberattacks against 
military or government systems compared to that of citizens 

e Differentiate between civil and criminal law as it applies to digital 
investigations, including the role of private investigators in digital evi- 
dence handling and investigation for civil matters 

e Appreciate the challenges that emerge in dealing with cybercrime 
investigations that cross national borders 

@ Deliberate upon why governments must balance the privacy rights of 
citizens against intelligence collection strategies employed to investi- 
gate national threats 

e Discuss how companies and governments diminish their perceived 


legitimacy based on their use of certain strategies 


Introduction 


Most nations socialize citizens to contact their local emergency service provider 
in the event of a crime, as with 911 in the United States or 999 in the United 
Kingdom. The average person may assume that their local police agency is the 
appropriate point of contact in the event they experience cybercrime victimi- 
zation. This is unlikely to result in a successful interaction for either the person 
or the agency. 

Policing and law enforcement agencies are complex bureaucracies with roles 
and responses that are bound by jurisdiction. Ifa person is the victim of identity 
fraud or theft in which an offender living in another state or country uses their 
information to make online purchases, the limited jurisdiction of a local agency 
would mean that they could not respond to the call for service (Walker & Katz, 
2022). Instead, it would likely have to be reported to a federal or national law 
enforcement agency, and even then, it may not be resolved in a satisfactory way 
for the victim due to the difficulties in transnational investigations. 

Alternatively, the type of victimization an individual experiences may 
not be viewed as an incident that law enforcement can actually investigate. 
For instance, if an average home computer user’s machine is infected by a 
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piece of malicious software, a local law enforcement agency may say that 
this is not a crime they can investigate. If there is no evidence that their 
personal information was compromised or misused by the attacker, 
then the incident may not technically constitute a violation of local laws 
(see Chapter 4 for more details on state malware laws). Similarly, receiving 
a single mean or harassing message on Facebook or Twitter may not be 
sufficient to justify a criminal complaint to a police agency (see Chapter 9 
for more information). 

These conditions have significant consequences for the criminal justice sys- 
tem. Citizens are less willing to contact police agencies about their cybercrime 
victimization than physical victimization, even if the victimization is serious 
(e.g., Cross, 2015). Graham et al. (2020) found in a sample of United States 
respondents that individuals were more likely to report serious victimization to 
the police and slightly more likely to report physical crimes than cybercrimes. 
Respondents also believed that the police were less likely to identify and arrest 
an offender who committed a cybercrime than a traditional offense. Van de 
Weyer et al. (2020) found in a Dutch sample that individuals were more likely 
to report serious cybercrime than minor ones and less likely to report their vic- 
timization if they knew the offender. 

If underreporting becomes a normalized behavior, which it may have already 
become, then we will not truly understand the frequency and seriousness of 
cybercrime victimization, which individuals are experiencing. Such a concern 
is real and has been an acknowledged problem by law enforcement, policy- 
makers, and researchers since the mid-1990s (e.g. Goodman, 1997; Stambaugh 
et al., 2001). Despite this recognition, police agencies, especially those at the 
local level, have been relatively slow to respond or adapt to the issue of cyber- 
crime. In fact, empirical research on the police response to cybercrime is still 
limited, despite the severity of these offenses, in comparison to the amount of 
police-oriented research on other topics, such as gangs and domestic violence 
(see Holt et al., 2015). 

This chapter will examine why police agencies at all levels have challenges 
in responding to cybercrime. We first provide an overview of the local, state, 
and federal or national agencies that investigate cybercrimes as well as attacks by 
nation-states and terror threats. Next, the increasingly common role of civil law 
in digital forensic examination and responses to technology misuse by corpora- 
tions is also considered. We conclude the chapter by considering the growth of 


corporations and intelligence agencies’ use of data mining online behavior and 


the challenge this poses to personal privacy. 
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Role of Municipal Police Departments and Sheriff 
Offices in Investigating Cybercrime 


Local law enforcement departments, including local municipal police depart- 
ments and Sheriffs agencies, are responsible for responding to a wide variety of 
calls, helping citizens, investigating crimes, arresting offenders, preventing crime, 
increasing public feelings of safety, and generally responding to a wide range of 
citizen requests within their limited jurisdiction (Walker & Katz, 2022). Just as 
with traditional forms of crime, most individuals may think that the first agency 
to contact for assistance with a cybercrime is their local law enforcement agency. 
There is, however, a substantial degree of variation in the size and response 
capabilities of local law enforcement. For example, Nowacki and Willits (2020), 
using the 2013 Law Enforcement Management and Statistics Survey, found that 
larger and more complex agencies with more hierarchical levels and more spe- 
cialization were more likely to specifically dedicate resources to cybercrime. 

In the United States, the majority of law enforcement agencies involve local 
police forces serving cities, often referred to as municipal police departments. 
Sheriffs’ departments, on the other hand, have different responsibilities depending 
on their location throughout the United States. Some have policing responsibil- 
ities (e.g., patrolling and responding to calls) of unincorporated areas throughout 
a county. They often have to patrol and handle calls for services in remote and 
rural areas depending on the region of the country. Other Sheriff departments may 
not have policing responsibilities and instead only maintain the county jail, provide 
court security, and enforce civil laws, such as evictions (Walker & Katz, 2022). 
Most local law enforcement agencies serve small populations in rural or suburban 
communities with populations under 50,000 (Walker & Katz, 2022). As of 2016, 48 
percent of all local agencies had less than ten sworn officers (Hyland & David, 2019). 

In the United Kingdom, territorial police forces are responsible for polic- 
ing a specific jurisdictional region and generally comprise the majority of police 
agencies (Yar, 2013). In Canada, major urban centers, such as Toronto or Mon- 
treal, also have their own police forces that serve the local population. Local law 
enforcement agencies in most countries, including the United States, do not cur- 
rently have a large role in the prevention and investigation of most forms of cyber- 
crime. They are responsible, however, for investigating crimes in which a victim 
and offender reside within their jurisdiction. For example, local law enforcement 
is primarily responsible for investigating most cases of online harassment or stalking 
(see Chapter 9). Person-based cybercrime cases such as the creation and consump- 
tion of child sexual exploitation materials (see Chapter 8; Jenkins, 2001), as well as 
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sexual solicitation and prostitution cases in the United States, may also be inves- 
tigated by local police agencies (see Chapter 7; Cunningham & Kendall, 2010). 

Over the last three decades, both scholars and police administrators have 
created lists of reasons why cybercrime poses significant challenges for local law 
enforcement and why they are not more heavily involved (Burns et al., 2004; 
Goodman, 1997; Holt et al., 2010; Senjo, 2004; Stambaugh et al., 2001). Some 
of the challenges can be addressed by placing a higher priority on cybercrimes 
and providing more funding to police these offenses. Others are not so easily 
addressed. The list of challenges includes but is not limited to: 


© jurisdictional issues caused by the victim and offender not living in the same 
municipality or county; 

e lack of a standard definition for cybercrime; 

e little public outcry in comparison to traditional crime, particularly violent crime; 

e difficulty in investigating an invisible crime; 

e difficulty in acquiring and maintaining the technologies required to investi- 
gate these resources (see Chapters 14-16); 

e challenges in training, retraining, and retaining trained officers; and 


e lack of managerial and police support for the investigation of cybercrimes. 


Although the above list of challenges appears to be insurmountable to some, 
scholars and police administrators have still argued that local law enforcement 
must play a larger role in investigating cybercrimes (e.g. Bossler & Holt, 2012; 
Popham et al., 2020; Stambaugh et al., 2001). Some have argued for the devel- 
opment of more local cybercrime investigation units that could directly respond 
to crimes involving digital evidence in order to decrease assistance from state 
and national/federal levels (Hinduja, 2007; Horgan et al., 2021; Marcum et al., 
2010). A recent longitudinal analysis of law enforcement data within the United 
States demonstrates that there has been an increase in the number of specialized 
cybercrime units at the local level (Willits & Nowacki, 2016). They are, how- 
ever, more likely to appear in police agencies that serve a very large population, 
such as major cities and urban centers, have greater patrol duties, and possess 
greater general access to technology (Willits & Nowacki, 2016). 


For more information on the challenges cybercrimes pose to local 
law enforcement, go online to: https://www.ncjrs.gov/pdftiles1/nij/ 
186276.pdf 
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Other scholars and commentators have focused on the need for patrol officers 
to improve their ability to act as first responders to crime scenes with computers 
or digital evidence (Holt et al., 2010; National Institute of Justice, 2008; Stam- 
baugh et al., 2001). Almost no data exist in the United States on how often 
patrol officers actually respond to cybercrime calls, although it seems quite rare 
(Bossler & Holt, 2012; Holt et al., 2010). Other nations provide this information 
in national policing statistics, such as Canada and South Korea (Popham et al., 
2020). Scholars and police administrators similarly argue for more computer and 
technology training for patrol officers since patrol officers in the United States 
are overall ill prepared to respond to digital evidence scenes (Hinduja, 2007; 
Holt et al., 2010; Horgan et al., 2021; Popham et al., 2020; Stambaugh et al., 
2001). Government documents and training manuals indicated awhile back that 
government officials expected this not to be the case in the near future. For 
example, in the United States, the National Institute of Justice (NIJ) published 
the Electronic Crime Scene Investigations: A Guide for First Responders, Second Edition 
in 2008. As of the time of this edition, there is still not the third edition. 

This guide, which was created primarily for patrol officers, provided both 
basic and more advanced information on how to properly respond to a digital 
crime scene, including how to recognize, seize, document, handle, package, 
and even transport digital evidence. Instead, other online sources are now avail- 
able for first responders to review and easily access. For example, the US Secret 
Service (n.d.) published the third version of Best Practices for Seizing Electronic 
Evidence: A Pocket Guide for First Responders to help first responders with com- 
mon issues surrounding scenes with digital evidence. This document provides a 
similar direction for law enforcement as to how to triage and process computers 


and mobile devices at crime scenes. 


For more information on the US Secret Service’s Best Practices 
for Seizing Electronic Evidence, go online to: https://www.crime- 


scene-investigator.net/SeizingElectronicEvidence.pdf 


As the world of digital and smart devices continues to grow, it is essential 
that police expand their capability to properly seize digital evidence. The rise of 
smart vehicles, televisions, and IoT devices like Alexa could all store evidence 
to support a criminal investigation (see Chapters 14-17). Thus, it would seem 
to be a necessity that patrol officers have minimal computer literacy in order to 


know what to secure and understand the lexicon of witnesses. 
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For more information on ways that local agencies may move for- 
ward to better respond to cybercrime, go online to: http://www. 
policeforum.org/assets/docs/Critical_Issues_Series_2/the%20role%20 
of%20local%20law%20enforcement%20agencies%20in%20preventing 
%20and%20investigating%20cybercrime%202014.pdf 


Interestingly, it appears that police officers do not share the same views as 
administrators and academics regarding their role in handling cybercrimes or 
crimes with digital evidence (Holt et al. 2019). Patrol officers know that local 
law enforcement agencies generally place a low priority on most forms of cyber- 
crime unless it involves child sexual abuse content (Hinduja, 2004; Holt & 
Bossler, 2012; Holt et al., 2019; Senjo, 2004; Stambaugh et al., 2001). Local 
agencies may also be increasing their capabilities to investigate various forms of 
online economic crimes (Bossler, Holt, Cross, & Burruss, 2019), but they do 


not really focus on computer intrusion offenses (see Box 2.1; Holt et al., 2010). 


Box 2.1. Increasing Local Police Capacity to 
Investigate Cybercrime 


Coaxing Cops to Tackle Cybercrime? There’s an App for That 


https://www.npr.org/2020/01/15/796252827/coaxing-cops-to-tackle- 
cybercrime-theres-an-app-for-that 


“If somebody walked into the precinct holding a bloody handkerchief 
to their head and said, “Somebody hit me over the head and took a 
thousand dollars out of my wallet,’ you’d have five cops running out to 


5} 


find the guy,’” says Nick Selby, a former police detective with exten- 
sive cyber security experience. “[But] if they come in and say, ‘Some 
scammer took a thousand dollars from me,’ [police say] ‘Ooooh, you’ve 


got to call the FBI!’ That’s crazy. That’s the old way of thinking.” 


This article details the development of a training application within the 
NYPD that provides officers with details on how to interview victims 
of cybercrime cases. The story provides a good example of innovative 
strategies that could be implemented widely to improve the response to 


cybercrime calls for service. 
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In addition, they feel that police management, and prosecutors for that matter, 
have little knowledge of cybercrime and do not have the appropriate resources 
to adequately investigate and prosecute most forms of cybercrime (Burns et al., 
2004; Holt et al., 2010; Stambaugh et al., 2001). They therefore do not believe 
that local law enforcement should be primarily responsible for dealing with 
cybercrime (Bossler & Holt, 2012; Burns et al., 2004; Holt et al., 2019). They 
place less emphasis than police administrators on the importance of creating local 
cybercrime investigative units and implementing additional computer training 
(Bossler & Holt, 2012). Instead, they believe that the best strategies for dealing 
with cybercrime would be for citizens to be more careful online and changes to 
the legal system. Officers also believe that they cannot get involved in offenses 
that are not criminal in nature, such as cyberbullying, and also believe parents 
and schools need to handle these issues (Patchin et al., 2020). It would seem that 
they would not want any substantial changes to their roles of primarily dealing 


with traditional forms of crime and order maintenance. 


State Agencies’ Roles in Investigating Cybercrime 


The next level of law enforcement that currently has any substantial respon- 
sibility in addressing cybercrime is state (e.g., United States, Australia) and 
provincial (e.g. Canada) police agencies (Walker & Katz, 2022). In the 
United States, state agencies can focus on highway traffic control, state law 
enforcement, or provide laboratory services to smaller agencies depending on 
the state’s Constitution and the mission of the state agency. In general, many 
states have a state law enforcement agency that can investigate crimes where a 
jurisdictional conflict exists or limited resources prevent a smaller agency from 
investigating the crime adequately (Walker & Katz, 2022). 

Some state law enforcement agencies may also provide forensic laboratory 
services, including digital, for other state and local agencies. In many cases, 
the procedures and resources discussed in Chapters 14-16 of this text are not 
available to local law enforcement agencies and instead are conducted by state 
and federal labs. As noted earlier, evidence suggests the number of specialized 
cybercrime units has grown over the last two decades, particularly at the state 
level (Willits & Nowacki, 2016). This may be due to the enhanced budgets 
available to state agencies, and their role in supporting municipal and rural area 
law enforcement (Holt et al., 2015; Willits & Nowacki, 2016). Thus, state 
agencies and resources are crucial resource to investigate cybercrimes that do 


not cross state boundaries. 
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In addition to specialized cybercrime units, state agencies in the United 
States have developed their own intelligence sources called fusion centers 
to communicate and investigate threat information to both local and federal 
agencies (Chermak et al., 2013; Coburn, 2015). The concept of fusion centers 
was developed in 2003 as a collaborative effort between the Department of 
Homeland Security and the Office of Justice Programs to improve communica- 
tion of intelligence information in the wake of the 9/11 terror attacks (Coburn, 
2015). Fusion centers develop information and process leads that may be used 
to produce information threats that may be of value for law enforcement at the 
local, state, or federal level. Initially, centers focused on intelligence gathering 
on terror threats, but many now develop information on various crimes, includ- 
ing cyberthreats. Their utility in developing credible intelligence, however, has 
been substantially criticized regarding threats to both on- and offline environ- 
ments (Coburn, 2015; Lewandowski & Carter, 2017; see Box 2.2 for details). 


Box 2.2 Assessing the Credibility of a Fusion 
Center’s Analysis of a Cyberattack 


DHS Issued False “Water Pump Hack” Report; Called It a 
“Success” 


https://www.wired.com/2012/10/dhs-false-water-pump-hack/ 


But while DHS was busy pointing a finger at the fusion center, its own 
Office of Intelligence and Analysis had been irresponsibly spreading 
the same false information privately in a report to Congress and the 


intelligence community... 


This excellent story by Kim Zetter details the story of an Illinois fusion 
center that wrote up a detailed report suggesting a failed water pump in 
a local water district's SCADA system in 2011 was the result of Rus- 
sian hackers. The initial report was invalidated by subsequent investiga- 
tion of data by both DHS and the FBI, revealing that an Illinois contract 
employee logged into the system while on vacation in Russia. The impact 
of poor reporting, however, was viewed as a success by DHS because it 
focused attention on the work of fusion centers generally. Thus, this story 
reveals the potential challenges that may result from the work of state 


fusion centers. 
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Federal Law Enforcement and Cybercrime 


The highest levels of law enforcement in the United States and Australia operate 
at the federal level. They are often the entities most frequently engaged in the 
investigation of cybercrimes due to the transnational nature of these offenses. In 
many cases, the victim and offender may live in different states or even different 
countries. In addition, many types of cybercrime are quite complex and require 
highly technical investigations. Nations have generally provided more resources 
for federal or national law enforcement agencies to investigate these offenses 
rather than state or local agencies (Walker & Katz, 2022). Federal agencies may 
also play a large role in addressing crimes or managing catastrophic incidents that 
require cooperation among many agencies across several jurisdictions affecting 
large populations. 

The first federal law enforcement agency in the United States was the 
Coast Guard, which began in 1790 in order to prevent smuggling and properly 
collect import taxes and duties from incoming ships (Bowling & Sheptycki, 
2012). Over time, additional agencies were added as a result of the expansion of 
the nation and changes in the responsibilities of the government. Students will 
read in the upcoming chapters about the prominent roles that federal or national 
law enforcement agencies have in dealing with a wide variety of cybercrime. 
Many of these agencies serve multiple roles ranging from the prevention, inves- 
tigation, and apprehension of cyber offenders to intelligence gathering and shar- 
ing. Readers of this volume will discover the Federal Bureau of Investigation’s 
(FBI) role in investigating computer intrusion (Chapter 3), piracy and intellec- 
tual theft (Chapter 5), economic crimes (Chapter 6), creation, downloading, 
and disseminating child sexual exploitation materials (Chapter 8), serious forms 
of stalking that cross state boundaries (Chapter 9), and cyberterror (Chapter 10). 

Readers will also see that there exists considerable jurisdictional overlap at 
the federal level with several agencies being responsible for investigating the 
same categories of cybercrime. For example, the United States Secret Service 
also investigates computer intrusions affecting financial institutions (Chapter 3) 
and economic crimes (Chapter 6). The Bureau of Customs and Border Patrol 
(CBP) may play a role in investigations of intellectual theft (Chapter 5) and eco- 
nomic crimes (Chapter 6), while Immigration and Customs Enforcement (ICE) 
may also be involved in identity theft (Chapter 5), economic crime (Chapter 6), 
and child sexual exploitation materials (Chapter 8) cases. 

The highest levels of law enforcement in nations such as Canada, South 
Korea, and the United Kingdom are national police forces. These agencies 
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primarily serve the same functions as federal law enforcement in the United 
States. The United Kingdom operates “special police forces” that operate across 
multiple jurisdictions. For example, the National Domestic Extremism and 
Disorder Intelligence Unit responds to incidents of extremist activity within 
the United Kingdom. The National Crime Agency, which contains multi- 
ple commands, including Border Policing and the National Cyber Crime Unit 
(National Crime Agency, 2017), responds to serious economic forms of cyber- 
crime, as well as organized crime and other offenses that affect the nation and 
extend beyond local jurisdictional boundaries. In Canada, the Royal Cana- 
dian Mounted Police (RCMP) serves as the national police force and also 
patrols for seven of the ten provinces and three territories within the nation. 
The RCMP operates in a similar fashion to the US FBI or Australian Federal 
Police and is responsible for the investigation of both traditional and cyber- 
crimes (Bowling & Sheptycki, 2012). 

When problems escalate to the level of national safety, non-law enforce- 
ment agencies may become involved in addition to the abovementioned agen- 
cies (Andress & Winterfeld, 2013). For example, the Department of Defense’s US 
Cyber Command and the National Security Agency (NSA) are involved in 
any investigation that compromises a military computer network or system, as well 
as cases of cyber terror and warfare. The Ministry of Defense and Government 
Communications Headquarters (GCHQ) play a similar role in the United 
Kingdom, as does the Cyber Security Agency (CSA) in Singapore and the 
Communications Security Establishment (CSE) in Canada. Thus, there is 


some separation of investigative responsibilities depending on the target of an attack. 


Civil Investigation and Application of Digital Evidence 


Everything discussed thus far in the chapter involves violations of criminal law 
and statute. This is not the only mechanism available to deal with cybercrimes. 
In most nations, there is both criminal law and civil law. Criminal cases 
pursue charges against an individual on behalf of the state and the victim and 
recognize that a person has violated rules governing our behavior expressive 
of moral guidelines for action that protect others in society from harm (Kerley 
et al., 2019). Civil law involves disputes between parties, including individuals, 
groups, organizations, and government entities, that involve a violation of laws 
involving private rights and protections rather than morality. 

In a civil case, a party can file a suit against another on the basis of a con- 


tractual violation or injury. The entity who files the suit is referred to as the 
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plaintiff, while the person being sued is the defendant (Kerley et al., 2019). 
Civil cases primarily focus on monetary compensation to the plaintiff, which 
may be to replace losses suffered, which are called compensatory damages. A 
plaintiff may also seek punitive damages, or money as a means to punish the 
defendant for wrongful actions due to negligence, deceptive practices, or mali- 
cious activity (Kerley et al., 2019). 

Civil suits are largely handled via out-of-court settlements negotiated 
between attorneys representing each party in order to settle the dispute. Such 
processes are thought to be more efficient and less public than a court appear- 
ance as the proceedings are private. Final settlements may not be disclosed to the 
general public in many cases. If the parties cannot reach an agreement, then the 
plaintiff and defendant must go to court for the case to be heard by a judge and/ 
or a jury depending on the jurisdiction. The outcome of the court proceeding 
is meant to determine if the defendant is or is not liable for the claims made by 
the plaintiff. If they are found liable, then the court can move to award the 
plaintiff with whatever damages were deemed appropriate (Kerley et al., 2019). 

It is important to note that, unlike criminal cases, the burden of proof in civil 
law is on a preponderance of evidence. Specifically, the plaintiff must pres- 
ent evidence that supports more than half of their claims regarding the defend- 
ant (Kerley et al., 2019). In criminal cases, the state must prove its claims with 
evidence that demonstrates the guilt of the accused beyond a reasonable 
doubt. The lower burden in civil cases means that it may be more efficient to 
pursue such cases in court. However, the expense involved may limit the ability 
of individuals or small businesses to pursue civil cases compared to large organ- 
izations or wealthy individuals. In addition, being found liable for claims in a 
civil suit does not infer guilt on the part of the defendant, nor does it require 
admission of criminal conduct. As such, these cases frequently wind up being 
pursued for restitution rather than achieving justice for a victim or injured party 
(Kerley et al., 2019). 

There are various circumstances where civil cases may be pursued, such 
as individuals getting a divorce, individuals suing a company due to injury, a 
business suing a person over issues associated with either a breach of contract or 
criminal activity, or corporations suing one another over contractual violations 
(Karie & Venter, 2015). Evidence generated from digital forensic investigations 
can play a pivotal role in support of a plaintiffs claims. For instance, a spouse 
may be able to use digital evidence to demonstrate that their significant other 
engaged in an extramarital affair, including emails, text messages, and images 


(see Box 2.3 for more details). An employer may also use evidence culled from 
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Box 2.3. The Role of Digital Evidence in Divorce 
Cases 


Family Law: Social Media Evidence in Divorce Cases 


https://www.natlawreview.com/article/family-law-social-media- 


evidence-divorce-cases 


All that being said, posts or photos that are made public are able to 
be seen or inspected by anyone in the world with an account on that 
platform (and sometimes by those even without an account; such is the 
case with Twitter). That material is (perhaps obviously) fair game to be 


admitted as evidence for or against someone. 


This article provides guidelines for how social media posts may be acquired 
by attorneys in the course of a divorce case, as well as the challenges that 
arise depending on the ways that posted content was acquired by counsel. 


an employee’s computer to demonstrate they violated the company’s fair use 
policies for online behavior on the job. This may include web browser histories, 
email, various system files, executable programs, and other data. 

The process of digital forensic investigations in support of a civil suit is the 
same as those used by law enforcement for criminal cases (see Chapters 14-16). 
Law enforcement agencies, however, do not conduct investigations in civil 
cases; they are performed by forensic examiners who work in private practice, 
either for business or independently as private investigators or detectives. 
An individual who is a private investigator may operate on their own, through a 
company, or attorneys’ offices, to support either criminal or civil cases (Lonardo 
ét al., 2015). 

Private investigators can be found in many countries. Rules governing their 
conduct and relationship to law enforcement and the government vary from 
place to place. Within the United States, many states require an individual to 
be registered with, or licensed by, the state in order to operate (Lonardo et al., 
2015). Since each state can dictate the conditions needed in order to serve as an 
investigator, there is substantial variation in the experience and skills an individ- 
ual must have in order to be licensed. 

Interestingly, 30 states in the United States have laws requiring that an 


individual who is not in law enforcement, but engages in digital forensic 
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investigations for civil or criminal case support, must be a licensed private inves- 
tigator (Lonardo et al., 2015). Only four of these states, however, specify that 
there is a distinction between being a forensic examiner and a private investi- 
gator. Of the remaining states, 15 have no PI licensing requirements by either 
statute or interpretation of existing law, while 5 states have no licensing statutes 
related to private investigation whatsoever (Lonardo et al., 2015). 

There is some debate over the need for licensing of digital forensic examin- 
ers within the field. Some argue that licensing is needed to ensure a standard of 
professionalism and can be implemented across the field and oversight provided 
by each state (Lonardo et al., 2015). For instance, Florida’s statutes recognize 
that licensing provides a necessary check because “untrained persons, unlicensed 
persons or businesses, or persons who are not of good moral character.... are a 
threat to the welfare of the public if placed in positions of trust.” 

The PI license, however, does nothing to necessarily ensure the competency 
of a forensic investigator. Instead, the certifications an individual receives from 
various accrediting bodies ensure an individual is fully trained in the proper 
handling, processing, and reporting of evidence (Barbara, 2009; Zahadat, 2019). 
The process of certification is also relatively unstructured, as individuals can 
obtain credentials from a variety of private companies, which creates gaps in 
the knowledge across examiners (Zahadat, 2019). In fact, a recent survey of 
100 forensic examiners found that a proportion of respondents were private 
investigators with no actual certifications in digital forensics or active duty law 
enforcement officers utilizing their organization’s equipment to perform inves- 
tigations (Kessler International, 2017). As a result, care must be taken when dis- 
cussing the issue of private investigators and their credentials to actually conduct 
digital forensic investigations. 

Private investigators are not the only noncriminal justice system actors who 
now play a role in civil actions against cybercrime, but also various corpora- 
tions and organizations are increasingly taking steps to sanction cybercriminals 
or the infrastructure supporting their activities via civil suits. For instance, the 
Recording Industry Association of America (RIAA) and the United Kingdom’s 
Federation Against Copyright Theft (FACT) work in conjunction with Inter- 
net service providers (ISPs) to send cease and desist letters to individuals who 
are thought to have illegally downloaded media without payment through var- 
ious online sources (see Chapter 5 for more details; Nhan, 2013). This is a 
relatively simple strategy that is legally justified on the basis of the copyright 
holders’ financial interests that are harmed by people attempting to pirate their 


products. Sending out letters indicating that the person should not engage in 
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further attempts to pirate media are thought to serve as a deterrent by demon- 
strating that an individual’s online activities are not anonymous and may lead to 
further sanctions. 

Similarly, Facebook has sued multiple malware operators on the basis of 
abusing their platform. For instance, the company sued a Hong Kong-based 
company called ILikeAd Media International Company Ltd. and its two oper- 
ators (Cimpanu, 2019a). Facebook claimed that the company used targeted ads 
to get Facebook users to click through to a website that would download mal- 
ware on their computer and compromise their accounts. Facebook also sued 
LionMobi and JediMobi, both operating out of Asia, for producing apps that 
installed backdoor malicious software on users’ systems (Cimpanu, 2019b). The 
apps only functioned on Android devices and would produce fake clicks on 
advertisements from these two companies to increase the money they were paid 
through Facebook (Cimpanu, 2019b). 

For now, it is unclear how these cases will be resolved, though it is in keep- 
ing with a larger tradition of corporations suing cybercriminals for wrongdoing 
(Athow, 2014; Munson, 2014). In these instances, Facebook claims that victim 
accounts were secured if they were compromised, but no information has been 
given as to if or how they assisted victims in removing the malware on their 
devices. Additionally, it is unclear how Facebook is changing the security flaws 
in their advertising platforms so as to minimize the risk of future incidents. 
Thus, further research is needed to understand the ethical implications of cor- 
porate civil strategies to combat cybercrime. 


For more details on the potential legal and social risks posed by 
civil actions against cybercriminals by companies like Microsoft, 
go online to: http://digitalcommons.law.scu.edu/cgi/viewcontent.cgi? 
article=1592&context=chtlj 


Extralegal Agencies and Nongovernmental 
Organizations 


As a result of the vast scope and impact of cybercrime, law enforcement agencies 
have significant limitations that make it difficult for them to respond effectively 
to these offenses. In order to partially address these limitations, a range of pub- 


lic and private entities operate outside of law enforcement and government 


agencies to respond to and investigate cybercrimes. Such a group is typically 
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referred to as a Nongovernmental Organization (NGO) because they have 
no legal responsibility to enforce the law or respond to criminal activity. They 
may work, however, in conjunction with law enforcement agencies to provide 
assistance or information (Holt et al., 2015; Wall, 2007). NGOs that respond 
to cybercrimes are largely gatekeepers for victims or consumers and facilitate 
linkages to the criminal justice system generally. In the sections below, we dis- 
cuss three NGOs. Readers should note there are NGOs mentioned throughout 
other chapters of the book. 


Spamhaus 


A prominent global organization that helps to combat cybercrime is the non- 
profit entity called Spamhaus. The organization began in 1998 in the United 
Kingdom as a resource to help minimize the distribution of spam, or unsolicited 
emails (Spamhaus, 2021). Steve Linford, a computer security researcher, began 
the project as a means to track spammers and spam email being delivered. Over 
time, it grew into a multinational organization providing information on spam, 
phishing, malware, and related forms of cybercrime to companies, universities, 
Internet service providers, and law enforcement agencies (Spamhaus, 2021). 

One of their key products is its list of untrustworthy IP addresses that are 
being used to send spam and malware. Individuals who subscribe to their ser- 
vices are able to use information to actively block content being sent from 
those addresses at all times to reduce their risk of harm. In fact, Spamhaus esti- 
mates that their resources are used to protect over 3.1 billion email addresses 
around the world (Spamhaus, 2021). They also provide real-time intelligence 
on spammers, malware operators, and other cybercriminal entities to facilitate 
law enforcement investigations and industry responses to these threats (Spam- 
haus, 2021). 


Computer Emergency Readiness Teams (CERTs) 


One of the largest groups of NGOs is computer emergency readiness teams 
(CERTs). Computer emergency readiness teams are groups of information 
security experts, which may be publicly funded or run by private industries, that 
operate to protect, detect, and respond to cybersecurity incidents (see Chapter 4 
for more details). As of 2019, there are 503 total CERTs operating around 
the globe, located in universities, government agencies, and private industry 
(FIRST, 2022). The total number of CERTS around the globe in 2019 is a 
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10.5-percent increase (450) from 2018 and a 59-percent increase (316) from 
2015. The largest increase in the number of CERTS over the last several years 
has been in Europe. 

Though CERTs play somewhat different roles depending on where they are 
housed, their primary functions are to provide information on emerging hard- 
ware and software vulnerabilities, malware threats, and security tools to insulate 
systems from compromise. Some CERTs are also able to engage in incident 
response for government agencies, organizations, and businesses to determine 
how an attack took place (US-CERT, 2022). 


Cyber Civil Rights Initiative (CCRI) 


An additional form of NGOs is those in which private citizens come together 
for a specific cause. A notable example of such an NGO is the Cyber Civil 
Rights Initiative (CCRI), which is a volunteer-driven organization that was 
established in August 2013 as a resource to aid victims of nonconsensual por- 
nography, or revenge porn distribution where an individual’s photos or video 
are shared widely by others without their consent (see Chapter 10 for more 
details; CCRI, 2020). CCRI takes reports on nonconsensual pornography 
victimization directly from individuals who experienced this crime through 
their website. They provide advocacy for victims and assist in having content 
removed from online spaces (CCRI, 2020). Since CCRI is not a law enforce- 
ment agency, they cannot bring charges against a prospective offender. Rather, 
they use existing laws and protections for media to assist victims by having their 
content removed from online spaces and connecting with police and Internet 
service providers. Additionally, they advocate for changes to existing state and 
federal laws related to revenge porn and related offenses in order to better pro- 
tect victims (CCRI, 2020). 


International Enforcement Challenges 


The scope of cybercrimes presents a substantial challenge to law enforcement 
agencies, particularly those operating at the federal or national level. Agencies 
such as the Federal Bureau of Investigation and Secret Service in the United 
States have a remit to investigate both domestic and international cybercrime 
(Andress & Winterfeld, 2013; Brenner, 2008; Holt & Bossler, 2016). They are 
limited, however, by existing legislation and cooperative agreements with other 


countries. Though virtually all industrialized nations have criminalized various 
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forms of trespass and fraud, there is limited parity in the language of statutes 
(Brenner, 2011). 

The problem is exacerbated by a lack of extradition agreements between the 
United States, China, Russia, and Ukraine. These conditions make the United 
States an attractive target for offenders living in these nations. This makes it 
difficult to deter actors on the basis of legal sanctions alone (Brenner, 2008). In 
addition, federal prosecutors may choose not to take a case if the suspects reside 
in these nations, as there will be no real likelihood of arrest (Brenner, 2008; 
Holt & Bossler, 2016). As a result, United States law enforcement agencies have 
become reliant on existing extradition relationships with friendly nations in the 
hopes of detaining cybercriminals in the event that they travel abroad (Holt & 
Bossler, 2016). 

Law enforcement agencies’ capacity to handle cybercrime investigations 
could possibly be improved by the expansion of the existing criminal code to 
include various acts not currently criminalized or increasing punishments for 
existing offenses (Brenner, 2008; Holt & Bossler, 2016). There are currently 
federal statutes covering the compromise of computers, the use of malware 
to facilitate attacks, the acquisition or theft of personal information, and the 
use of such information to engage in identity fraud (Bossler, 2020; Brenner, 
2011). There are limits, however, as to how these cases can be built against 
offenders and minimal ways to prosecute individuals based on differing roles 
in the offense. 

To that end, the Obama administration made a push to modernize the 
existing Racketeering Influenced and Corrupt Organizations (RICO) Act to 
include hackers and cybercrime groups (Risen, 2015). The RICO laws are 
typically used to investigate organized crime groups, like the Italian mafia 
and other structured criminal networks, and enable expanded sentencing rules 
to be applied. Expanding this statute would increase opportunities to pros- 
ecute hacking cases and increase avenues for investigation, especially those 
involving multiple offenders or networks of actors (see Chapters 3, 4, and 6 
for examples). Though these revisions have yet to be acted upon, they may 
reduce some of the gaps in the current capacity of federal agencies to respond 
to cybercrimes. 

Though there are limitations to the international response to cybercrime, 
it is important to recognize the excellent global resources that exist to help 
agencies respond to these offenses. One of the most critical resources is inter- 
governmental organizations like the International Criminal Police Organiza- 


tion, commonly known as Interpol (Interpol, 2021). The role of Interpol is to 
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connect law enforcement in its 194 member nations to collect and disseminate 
information about three specific crime types: organized crime, terrorism, and 
cybercrime threats. Interpol operates 18 major databases containing information 
that can be accessed across all member nations to gain actionable intelligence 
and credible leads related to ongoing threats. Not only do they maintain physical 
evidence, such as fingerprints, stolen identity document records, but they also 
house digital evidence. Their International Child Sexual Exploitation (ICSE) 
unit maintains images and videos for analyses related to victims, offenders, and 
locations involved in child sexual abuse material production and distribution 
(see Chapter 8; Interpol, 2021). Interpol also operates a cyber fusion center, 
which publishes information on various threats related to malicious software, 
phishing campaigns, and other activities. 

Interpol also offers assistance through cybercrime training programs for law 
enforcement and support for digital forensic investigations. They also support 
the investigation of Dark Web offenses through the development of a Dark 
Web Monitor that collects information and analyzes data from various websites, 
forums, shops, and resources hosted from the Dark Web (Interpol, 2021). In 
addition, Interpol also operates task forces to coordinate international counter- 
terrorism investigations and digital forensic investigations generally. While 
Interpol agents and investigators cannot arrest individuals, the information and 
services they offer are essential to help facilitate criminal justice responses in 
member nations (Interpol, 2021). Thus, they are a vital tool in the international 


response to cybercrime. 


For more information on Interpol and its work with the Darknet 


and cyrptocurrencies, go online to: https://www.interpol.int/en/ 


How-we-work/Innovation/Darknet-and-Cryptocurrencies 


The Tension Between Security and Privacy 


On September 11, 2001, almost 3,000 individuals were killed in a coordinated 
terrorist attack by Al-Qaeda in which 4 passenger airlines were hijacked and 
crashed into the Twin Towers in Manhattan, the US Department’s Pentagon in 
Washington, DC, and a field in Pennsylvania. In a post-9/11 world, the need to 
identify actionable intelligence on threats has become paramount for virtually all 


nations. Terrorist groups have the capacity to spread their ideologies via social 


media and various websites, making susceptible individuals willing to engage 
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in acts of extreme violence against individuals either in their home city or in 
another nation (see Chapters 10 and 11 for more details; Hamm & Spaaij, 2017). 
In addition, governments must also address the increasingly common threats 
posed by serious cyberattacks by terrorists, nation-states, and criminals (Andress 
& Winterfeld, 2013; Kremling & Sharp Parker, 2017; Rid, 2013). 

All of these threats have raised substantial concerns across the globe as how 
to best protect people and infrastructure from harm. Physical barriers, police, 
and intelligence agency staff play an important role in the protection ofa nation, 
but there is also a need for tools and infrastructure to proactively develop intel- 
ligence on threats and the individuals and groups planning to do harm. Prior 
to the Internet, law enforcement agencies could reasonably monitor a group of 
interest to national security via wiretapping, or covertly listening in to phone 
conversation and other methods to surreptitiously observe and capture informa- 
tion on threats (Andress & Winterfeld, 2013). The growth of social media and 
online communications through various applications such as Signal, Telegram, 
and TikTok have exponentially increased the ways that offenders can connect 
and share information in clear text and encrypted methods. 

As a result, many nations have increased their information collection mecha- 
nisms to gain access to both online information and real-world communications 
to identify threats in advance and foil potential attacks. For example, anecdotal 
evidence suggests that police in the United States have dramatically increased 
the number of arrests for threats made by individuals on social media sites (Bayne 
et al., 2019). The substantial number of mass shootings within the United States 
and in other nations is often preceded by escalating threats made by the shooter 
on sites like Facebook, Twitter, and other platforms. To reduce the potential 
loss of life, police agencies tend to take such threats seriously and arrest individ- 
uals on the basis of their comments regardless of the actor’s intentions (Bayne 
et al., 2019). 

The nature of the methods used by police to monitor online communica- 
tions are largely kept secret from the general public on the basis that knowl- 
edge of the processes could lead them to be defeated by savvy actors (Rid, 
2013). This creates a challenge for free societies, as the public has a reasonable 
right to their personal privacy, or the ability to keep aspects of their lives 
secret from others (Kremling & Sharp Parker, 2017; Rid, 2013). Any attempt 
by the government to violate individual privacy should be made known to 
the public as it could be against the law. This creates a tension between indi- 
viduals’ rights to privacy and the government’s need to protect the safety of 
the general public. 
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This was evident in the United States following a massive domestic ter- 
ror incident, when Syed Rizwan Farook and Tashfeen Malik shot and killed 
14 people and wounded another 22 during a holiday party at the San Ber- 
nardino, California Department of Health on December 2, 2015 (Keneally & 
Shapiro, 2015). Both Farook and Malik fled from the scene of the shooting in 
an SUV, which was eventually located by police. After a high-speed pursuit, the 
pair were killed in a shoot-out with police. Subsequent searches of their home 
led police to discover a cache of weapons and homemade explosives, suggesting 
they had planned to engage in further attacks. 

The FBI took charge of the investigation in the wake of the incident, which 
eventually became known as the San Bernardino shooting case. Agents 
came to realize that both Farook and Malik were motivated by radical Islamic 
beliefs and had accessed a range of online content produced by terrorist organi- 
zations overseas. Farook’s iPhone 5c, which was owned by the county, was also 
recovered by agents. The FBI stated that it was unable to unlock the phone and 
decrypt its contents for investigators because of the security features in the iOS 
software. The United States does not have any encryption key disclosure laws 
to mandate individuals give passwords or access information to law enforce- 
ment, making it difficult to compel suspects to provide access to their devices 
(see Chapter 14 for more details). 

As a result, the federal magistrate hearing the case ordered Apple to provide 
resources to enable the FBI to access the phone’s contents. Apple refused on 
the basis that it would violate the Fifth Amendment rights of the general public 
as whatever protocols were developed for this case could be used against any 
of their customers (Benner et al., 2016). Eventually, the FBI revealed they no 
longer needed Apple to intervene as they were able to pay a third party for a 
solution to decrypt the phone (Barrett, 2016). This led to public outrage as the 
FBI gave very little information as to how this solution was developed or what 
it meant for individual privacy rights and the safety of their electronic informa- 
tion (see Chapter 14 for more discussion). Eventually, it was reported that the 
FBI paid over $1 million dollars to obtain the work-around and found nothing 
on Farook’s phone to support the investigation (Tanfani, 2018). The solution 
also became completely unusable after Apple updated their operating system 
software (Tanfani, 2018). 

The difficulty in maintaining the balance between safety and privacy was also 
evident in the revelations made by Facebook in the wake of the 2016 presiden- 


tial election in the United States. It was revealed that a company called Cam- 


bridge Analytica was able to access the account data from 87 million user 
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profiles as part of their political consulting work for the Trump presidential 
campaign (Chang, 2018). An individual working at Cambridge University who 
was tied to the company developed a Facebook quiz called “thisisyourdigital- 
life” (Chang, 2018). The app secretly collected data from the user, as well as 
their friends on the site. The information collected was then sold to Cambridge 
Analytica so that they could create users’ personality profiles in order to craft 
targeted political ads that would potentially influence their views of political 
candidates (Chang, 2018). 


For more information on the fallout from the Cambridge Analyt- 
ica scandal, please visit: 

https:// www. wired.com/story/cambridge-analytica-facebook-privacy- 
awakening/ 
https://www.nytimes.com/2018/04/08/us/facebook-users-data-harvested- 
cambridge-analytica.html 


Since Cambridge Analytica worked for the Trump campaign, their expressed 
goal was to use targeted advertisements that preyed upon the psyche of users in 
an attempt to swing voters toward Trump or suppress voter behaviors gener- 
ally (Granville, 2018). The practice of selling data violated Facebook’s policies 
related to data collection and third-party use and came to light in part thanks to 
a UK news network reporting on their practices (Granville, 2018). The secre- 
tive nature of data collection, coupled with the perceived violations of personal 
privacy, led to global outrage over Facebook’s practices. The social networking 
platform’s somewhat delayed and lax response further aggravated the situation 
and led some users to start deleting their accounts outright (Granville, 2018). 
Over the long term, however, many users still populate Facebook and regularly 
post there, suggesting the perceived violation of privacy was not enough to sink 
this global technology powerhouse. 

Massive data collection for surveillance and profiling purposes are not rele- 
gated to industry bodies, as evident in reporting on the collection processes of 
both the NSA and the GCHQ in the United Kingdom. Details of the degree 
to which governments collect information on their citizens were revealed when 
Edward Snowden, a then-NSA contractor who publicly disclosed thou- 
sands of classified documents to journalists detailing the existence of various 
active intelligence programs designed to mine electronic communications data 


maintained by technology companies and service providers, including Apple, 
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Facebook, Google, Microsoft, Skype, and Verison (Gidda, 2013; Rid, 2013). 
One of the largest of these programs was called PRISM, which began in 2007 
and combined machine learning techniques with massive data streams of email, 
text, and other electronic communications data from at least nine major service 
providers to develop intelligence on terror threats (Gidda, 2013). The data col- 
lected were indiscriminately targeted, meaning anyone’s information may have 
been included, but ideally could only be queried by PRISM analysts as a means 
to identify networks of terrorists or threats. Evidence suggested, however, that 
the data could have been used by NSA employees with minimal legal justifica- 
tion to search private information (Gidda, 2013). The data and analyses could 
also be shared with the United States’ Five Eyes partners: Australia, Canada, 
New Zealand, and the United Kingdom (Andress & Winterfeld, 2013). This 
news outraged many other nations as their citizens may have been unfairly 
affected by this program. 

Snowden also revealed a similar program called KARMA POLICE was 
implemented by the United Kingdom’s GCHQ. The program was designed to 
create profiles of the Internet use of every public person online using various 
pieces of data that could be surreptitiously collected (Gallagher, 2015). It began 
in earnest in 2009 through the use of hardware taps installed on the fiber- 
optic cables used to provide transnational Internet connectivity. Approximately 
25 percent of the world’s Internet traffic is routed through these cables in the 
United Kingdom, enabling GCHQ to capture sensitive data from global users 
as it passed through the wires without notifying the user (Gallagher, 2015). 
Their taps capture specific details about individual Internet users through their 
web browser metadata, including the individual IP address of the computer, 
the last web pages visited through that browser, the timestamp for pages visited 
compared to the IP address, and the search queries used. Additional data were 
also eventually captured on individuals’ use of email, instant messaging systems, 
search engines, social media, as well as the use of proxies or other anonymity 
tools (Gallagher, 2015). 

The massive amount of information collected by GCHQ analysts could ena- 
ble substantial profiling of not only individual computer users but also poten- 
tially entire countries. The process of data collection enabled GCHQ to collect 
50 billion metadata records per day, capturing user behaviors worldwide. At the 
individual level, the metadata captured from browsers could be used to track a 
person’s entire online footprint at any time of day and collate this information 


to patterns of email and other online communications platforms. In the aggre- 


gate, GCHQ argued it had the potential to detect shifts in an entire country’s 
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user behaviors and identify suspicious patterns in web traffic that could indicate 
on- or offline threats. They used this data to examine both foreign threats, as 
well as those within the United Kingdom, which was supported through a legal 
loophole that allowed investigators to profile UK citizens without notification 
(Gallagher, 2015). 

The emergence of information on KARMA POLICE through the Snowden 
leak led to an investigation of the processes of GCHQ by the UK Parliament. 
The study found that the program operated with minimal government over- 
sight or court rulings to justify data collection. This led to a substantial overhaul 
of the laws concerning spy techniques and the need for mass data collection 
(Gallagher, 2015). 

This program, however, has not drawn the same global attention as PRISM, 
even though it had much broader consequences for many more nations. This 
begs the question as to why such programs have not produced greater outrage 
from citizens over governmental attempts to ensure public safety (see Box 2.4 
for details). A portion of the general population may feel that such concerns are 
trivial as we must ensure public safety at any cost. Others recognize that when a 


Box 2.4 An Examination of Why We Should 
Be Concerned By Government Spying 
Campaigns 


Nine Reasons You Should Care About NSA’s PRISM 
Surveillance 


http://theconversation.com/nine-reasons-you-should-care-about-nsas- 


prism-surveillance-15075 


Mass surveillance and data retention overturn the foundation of the 
modern legal system: the presumption of innocence. Not only is the 
presumption lost for gathering evidence, it also weakens the effect of 


that presumption throughout the rest of the legal process. 


This article provides a clear and succinct explanation of the reasons why 
the average person should be concerned about government spying pro- 
grams like PRISM. Though it may seem like a problem only for those 
who are engaged in illicit behavior, these programs effectively erode our 


civil rights and require greater consideration. 
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nation’s security forces actively exceed the rule of law, or intrude on their citi- 
zens’ rights, then their efforts are unlawful (Godwin, 2003; Yar, 2013). 
Engaging in illegal activity or facilitating behaviors that the general public 
views as illegitimate can erode public confidence in the companies, agencies, 
and officials who allowed them to be performed. Should that occur, we can 
expect the general public to lose trust, support, or a willingness to cooperate 
with requests or comply with laws (Sunshine & Tyler, 2003; Tyler, 2004). 
Many western nations are now in the midst of struggles over the perceived 
legitimacy of their governments and their use of authority. The same is true 
with some social media platforms like Twitter and Facebook over long-term 
abuses observed in their platforms. The public has a right to question how the 
state and huge multinational companies use their power, the extent to which 
that power can be checked by legislators or the judiciary, and how abuses of 
power can be identified and resolved. This is a delicate balance that can be eas- 
ily upset through authoritarian tendencies or overzealous demands that could 
benefit a nation’s enemies (Yar, 2013). As a consequence, we must keep these 


tensions in mind when considering efforts to secure cyberspace. 


Summary 


The problem of cybercrime is complex, requiring a clear and coordinated 
response from police agencies and law enforcement. At present, the local, state, 
and federal levels each have their own role, but they differ in terms of their 
capacity to fully investigate civilian calls for service. These issues are exacer- 
bated at the international level due to the limitations of extradition relationships 
and investigative resources. Corporations and nongovernmental agencies have 
emerged as an important resource to combat or investigate cybercrimes in the 
absence of a more robust law enforcement strategy. The strengths and weak- 
nesses of all of these entities (police, NGOs, and industry) are discussed in the 
subsequent chapters of this work to demonstrate the ways that cybercrimes are 
dealt with around the world. 


Key Terms 


Australian Federal Police 
Beyond a reasonable doubt 
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Discussion Questions 


1. How can police agencies improve their response to cybercrime, espe- 
cially in light of the continuous evolution of technology and communi- 


cations applications? 


i) 


. If federal agencies have the greatest responsibility to investigate cyber- 
crime but have difficulties arresting offenders due to limited extradi- 
tion relationships, how can we improve their ability to deal with these 
offenses? 

3. What issues can you see in having corporations play a more prominent 

role in combatting cybercrime through the use of civil lawsuits? 

4. How do we balance security and privacy? Should Edward Snowden be 

viewed as a traitor that diminished national security or a hero protecting 


individual rights of privacy? 
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Chapter Goals 


@ Define what is a “hack” and “hacker” 

e Identify the ways that both people and technology can be compro- 
mised by hackers 

e Differentiate between nation-state and non-nation-state hackers 

e Explain the key norms and values of the hacker subculture 

e Identify the various terms used to define and differentiate hackers 

e Consider the evolution of hacking in tandem with technology over 
the last 60 years 

e Assess the legal frameworks used to prosecute hackers and the ability of 


law enforcement agencies to address computer hacking 


Introduction 


Many in the general public conceive of hackers as skilled technological wizards 
who break into the Department of Defense, financial institutions, and other pro- 
tected networks with the intent to do harm. The notion of a hacker may also 
conjure up images of various characters from television and movies, such as Neo 
from the Matrix Trilogy, who had the ability to “see” in programming language 
code and bend “virtual” reality. These stories and representations have become 
the dominant model for hackers in popular media and news organizations. 
Although there are a number of hackers who engage in malicious activities, and 
some who are amazingly sophisticated technology users, they do not accurately 
represent the entire population of hackers. Instead, hackers also operate to defend 
computer networks and expand the utility of technology. In addition, an increas- 
ing proportion of the hacker community has a relatively low level of technolog- 
ical sophistication; only a small group has expert-level knowledge of computer 
hardware and software. The global hacker community is also driven by a wide 
range of motivations which leads them to engage in both legal and illegal hacks. 

This chapter is designed to present the subculture of hackers in a realistic 
light devoid of the glitz and flash of what may be portrayed in films. By the end 
of this chapter, you will be able to understand the variations in the legal and 
ethical perspectives of hackers, as well as the norms and values of the hacker 
subculture. The history of hacking over the last 70 years will also be explored 
to ground your understanding of the actions of hackers over time, including 
the ways that individual motives for hacking have changed with the explosion 
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in computer technology. In turn, you will be able to consider the activities of 
hackers from their point of view rather than from stereotypes and media hype. 
Finally, we will explore the various legal frameworks that have been created to 
address illegal computer hacking and the capabilities of law enforcement agen- 


cies to actually make an impact. 


Defining Computer Hacking 


While many in the general public equate computer hacking with criminal activ- 
ity, hacking is actually a skill that can be applied in a variety of ways depending 
on the ethical perspective of the actor. A hack involves the modification of 
technology, such as the alteration of computer hardware or software, in order 
to allow it to be used in innovative ways, whether for legitimate or illegitimate 
purposes (Holt, 2007; Levy, 2001; Schell & Dodge, 2002; Steinmetz, 2015; 
Turkle, 1984). There are myriad applications of hacking for beneficial uses that 
are not in fact illegal. For instance, iPhones and iPods are designed to only run 


’ 


Apple approved software and applications. Any “app,” ringtone, or wallpaper 
design that the company has deemed unacceptable due to risqué or inappropri- 
ate content will not work on their devices (Whittaker, 2021). Ifa user wanted 
to use these resources, or even change the appearance of the icons and appli- 
cations on their Apple device, they would have to find a way to work around 
these limitations. Thus, programmers have created “jailbreaking” programs that 
enable users to install third party designers’ programs to be used on an iPhone 
or other Apple product. The use of jailbreaking programs constitutes a hack, as 
they enable actors to use their devices in ways that were not initially allowed 
by the designer. The use of these programs is not illegal, though they can void 
the product warranty, making the user accountable for their use of hacking 
programs (Whittaker, 2021). 

Hacks that modify programs and subvert security protocols, however, are 
illegal and can be used to obtain information or gain access to computer systems 
and protected resources in furtherance of illegal acts ranging from stealing credit 
cards to acts of terror (Dupont et al., 2017; Holt et al., 2021; see Figure 3.1 for 
details). In many cases, hackers utilize very basic nontechnical strategies rather 
than sophisticated attacks to obtain information. For instance, individuals can 
steal someone’s passwords for email accounts or access to a system by look- 
ing over the victim’s shoulder and watching their keystrokes. This act, called 
shoulder surfing, is simple and can be performed by anyone in order to obtain 


sensitive information (Mitnick & Simon, 2002). 
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Fig. 3.1 Venn 
diagram of 
computer 
hacking 
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Similarly, hackers can employ social engineering tactics to try to fool 


or convince people to provide them with information that can be used to 
access different resources (Mitnick & Simon, 2002; Salahdine & Kaabouch, 
2019). These attacks often involve making simple requests and acting clue- 
less in order to prey upon people’s willingness to help others (Mitnick & 
Simon, 2002; Salahdine & Kaabouch, 2019). These sorts of nontechnical 
attacks are invaluable to attackers because it is extremely difficult to protect 
individuals from being compromised, unlike computer systems and physical 
buildings (Mitnick & Simon, 2002; Salahdine & Kaabouch, 2019). Often the 
most easily exploited vulnerability for a person, organization, or a business 
is not a flaw in hardware or software, but rather the individual themselves. 
In fact, 44 percent of all breaches in 2019 involved errors and social media- 
related schemes that involved little technical skill on the part of the attackers 
(Verison, 2020). 


For more on social engineering, go online to: https://www.sans.org/ 
reading-room/whitepapers/critical/methods-understanding-reducing- 
social-engineering-attacks-36972 
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The information victims provide in nontechnical attacks frequently includes 
usernames and passwords for different resources like email. In turn, the attacker 
can gain access to personal or corporate information sources that they may not 
own or have permission to access. The issue of ownership and access is why 
David Wall (2001) conceived of computer hacking as an act of cyber-trespass in 
keeping with burglary in the real world. A hacker must cross network bounda- 
ries without approval from the owner or operator in much the same way as a 
burglar enters a dwelling without permission. In order to compromise a com- 
puter system or network, the hacker must utilize vulnerabilities, or flaws, in 
computer software or hardware, or people in the case of social engineering 
(Furnell, 2002; Taylor, 1999). There are hundreds of vulnerabilities that have 
been identified in all manner of software, from the Microsoft operating system 
Windows, to the web browsers that we use every day (O’Driscoll, 2021). In 
much the same way that burglars in the real world attempt to identify weak- 
nesses in the design of homes, entrances, exits, and residents’ behaviors and 
activities in order to find ways to get inside a location (e.g. Wright & Decker, 
1994), hackers’ first steps in developing a hack using technical means is identi- 
fying these vulnerabilities. 


For more information on vulnerabilities, go online to: https://nvd. 


nist.gov 


Once a vulnerability has been identified in a piece of technology, a hacker 
can then develop or utilize an exploit, a program that can take advantage of 
vulnerabilities to give the attacker deeper access to a system or network (Fur- 
nell, 2002; O’Driscoll, 2021; Taylor, 1999). There are many tools available 
online for hackers to use in order to exploit existing vulnerabilities in computer 
software (Chu et al., 2010; O’Driscoll, 2021) and various forms of malicious 
software which can be acquired for free from web forums or purchased from 
vendors in online black markets (see Chapter 4 for details; Chu et al., 2010). 
Similarly, burglars can use tools, such as crowbars and keys, to gain access into a 
residence through vulnerable points of entry (Wright & Decker, 1994). 

In the context of hacking, vulnerabilities and their attendant exploits can be 
used by anyone regardless of their ethical beliefs. For instance, there are vulner- 
ability scanning tools available online, such as Nessus, which allow individuals 
to easily determine all the vulnerabilities present on a computer system (Jetty, 


2018). This tool can be used by hackers working on “red teams” or “tiger 
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teams” hired by corporations to identify and penetrate their networks in order 
to better secure their resources. Red teams are authorized by system owners 
to engage in these acts; thus they are not violating the law. The same scanner 
could be used as a first step in an attack to identify vulnerabilities on a system 
to determine what exploits should be used to compromise the system (Jetty, 
2018). Running such a scan without permission from the system owners would 
be viewed as an illegal form of hacking (Jetty, 2018). 


Non-Nation-State Actors vs. Nation-State Actors 


Despite misconceptions over who and what is a hacker, it is clear that the use 
of hacking for malicious purposes can have severe economic and social con- 
sequences for computer users. The most common targets for attack by mali- 
cious hackers are individual computer users, private industry, and governments. 
In fact, the general public present an excellent target for the majority of hack- 
ers since they may have sensitive information stored on their computer and 
can serve as a launch point for subsequent attacks against different targets 
(discussed in Chapter 4). A malicious hack can often affect multiple groups at 
the same time, and may be performed by individuals acting alone, in small 
groups, or in conjunction with a foreign military or government (Dupont 
et al., 2017; Holt et al., 2019; Leukfeldt et al., 2017). When individuals act 
without any sort of state backing, they are referred to as non-nation-state 
actors because they have no immediate affiliation to an organization (Maurer, 
2018; Rid, 2013). 


For more information on cyberthreats at the nation-state level, 
go online to: http://www.baesystems.com/en/cybersecurity/feature/ 


the-nation-state-actor 


Non-nation-state actors who engage in hacking frequently target individuals 
and institutions in order to steal sensitive information that can be resold or used 
in some fashion for a profit (Holt & Lampke, 2010; Leukfeldt et al., 2017). 
For instance, credit and debit card numbers are a regular target for hackers, as 
this information can be used by the hacker to obtain funds or sold to others to 
facilitate fraud (Holt et al., 2016; Leukfeldt et al., 2017). These attacks negatively 
affect both the cardholders and the financial institutions who manage customer 


accounts (Peretti, 2009). Alternatively, they may steal usernames, passwords and 
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related data so that user accounts can be compromised and used for phishing and 
other purposes (Dupont et al., 2017; Leukfeldt et al., 2017). 

There are myriad breaches occurring across the globe every year, leading to 
the loss of personal data and sensitive data. For instance, 29 million Facebook 
user accounts were compromised by hackers from July 2017 through September 
2018 (Leskin, 2018). The attackers were able to use vulnerabilities in Facebook 
software to gain access to users’ personal information, including their location 
data, search histories, and what devices were used to access the account. Simi- 
larly, over 500 million individuals who stayed at Marriott hotels from 2014 to 
2018 were affected by a data breach when hackers compromised their reserva- 
tion database and regularly copied and stole guest data (Leskin, 2018). 

Perhaps one of the worst breaches in recent memory affected the country 
of India, as over 1.1 billion people were affected by a breach leading to the loss 
of their government-managed identity information, including ID details and 
connected bank accounts. This breach occurred because a utility company with 
access to the government identity database did not secure their access portal. As 
a result, anyone was able to gain access to the system, resulting in catastrophic 
loss of information (Leskin, 2018). 

By contrast, hackers who engage in attacks at the behest of or in cooperation 
with a government or military entity can be referred to as nation-state actors 
(Maurer, 2018; Rid, 2013). Though it is unclear how many nation-state hack- 
ers there are internationally, they are most likely a small number relative to the 
larger population of non-nation-state actors. The targets of nation-state actors’ 
attacks differ substantially. They frequently target government agencies, corpo- 
rations, and universities using hacks to engage in both espionage and theft of 
intellectual property (Maurer, 2018). 

An excellent example of nation-state sponsored hacking involves the crea- 
tion and dissemination of a piece of malicious software called Flame (see Chap- 
ter 4 for more detail on malware). It is thought that hackers working for the US 
National Security Agency and/or the Israeli government were responsible for 
the development of this malware, which was identified in May 2012 by security 
researchers (Symantec, 2012; Zetter, 2012). The program was found to have 
infected computers in government agencies, universities, and home computers, 
primarily in the Middle East including Iran. There were, however, infections 
identified in Europe and North America. 

The malware was designed to target specific computers and serve as an espi- 


onage tool, enabling backdoor access to any system files, the ability to remotely 


record audio, capture keystrokes and network traffic, and even record Skype 
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conversations (Cohen, 2012; Zetter, 2012). One of the most unusual features of 
this code was that it could remotely turn on the infected computer’s Bluetooth 
functions in order to log the contact data from any nearby Bluetooth-enabled 
device, such as a mobile phone or tablet (Symantec, 2012). The malware was 
also remotely wiped from all of these systems after it was made public, eliminat- 
ing any evidence of the infections. 

The complexity and utility of the tool suggested to researchers that it could 
have only been produced through the resources of a nation state. Additionally, 
the malware shared some common attack points with another well-known 
piece of malware called Stuxnet that has been heavily associated with the United 
States and Israel (see Chapter 10 for detail on this program; Cohen, 2012; Zet- 
ter, 2012). The computers targeted are also indicative of the interests of a nation- 
state due to the fact that it was originally identified on Iranian Oil Ministry 
computers and other systems across Iran, Syria, Saudi Arabia, and various Mid- 
dle Eastern nations. Finally, evidence from security analysts at Kaspersky demon- 
strated that the majority of infections were targeted within Iran to specifically 
acquire schematics, PDFs, text files, and technical diagrams (Lee, 2012). The 
purpose of these attacks was to acquire information about the Iranian nuclear 


program and surreptitiously spy on any actors associated with its development. 


For more on a ransomware attack against critical oil infrastructure 
in the United States by a Russian criminal group, go online to: 
https://www.cnn.com/2021/05/10/politics/colonial-pipeline-white- 


house-reaction/index. html 


Over the last two decades, there have been an increasing number of attacks 
performed by non-nation-state actors against government and industry targets 
due to social conflicts both online and offline (Brenner, 2008; Denning, 2010; 
Kilger, 2010). For instance, individuals associated with the hacker collective 
Anonymous attacked various police and government agencies across Saint Louis 
County, Missouri in August 2014. They targeted these systems as a form of 
protest in the wake of the shooting death of Michael Brown, a teenager who 
was killed by police in Ferguson, Missouri (Hunn, 2014a). The hackers not only 
engaged in denial of service attacks against websites and government services, 
but also released the personal information of police and others associated with 
the Ferguson Police Department (Hunn, 2014b). Anonymous members also 
encouraged physical protests which lasted for days after the shooting occurred. 
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In much the same way, there have been a range of serious cyberattacks tar- 
geting the country of Ukraine over the last six years, most all of which appear 
to originate from Russian state actors or civilians. Ukraine was originally part 
of the Soviet Union up until its dissolution in the early 1990s. At that time, 
Ukraine became its own sovereign nation, with relatively friendly relations to its 
neighbors, particularly Russia. However, a number of events occurred through- 
out the late 2000s and early 2010s in Ukraine that led Russia and Russian sym- 
pathizers within the nation to engage in escalating social and physical conflicts. 
In fact, Russia invaded a part of Ukraine called Crimea, and seized power, and 
began to back separatists who tried to seize power of other parts of the state. 

The severity of these physical conflicts has been dwarfed by the outcomes of 
cyberattacks, which have targeted the entire infrastructure of the nation, from 
its power grid to financial and government systems. Russian hackers have used 
various malware, ranging from ransomware (see NotPetya in Chapter 1) to a 
piece of software that caused a power outage in the capital city of Ukraine. This 
attack caused an hour long blackout in Kyiv two days before Christmas, and 
researchers have found evidence to suggest that it did not fully function as 
designed (Greenberg, 2019). The malware appears to have been structured to 
not only cause a blackout, but actually damage the equipment used to operate 
the power grid when identified and disabled. Thankfully this did not occur, 
otherwise the city may have been subject to a long-term blackout and costly 


repairs to fix the damages (Greenberg, 2019). 


For more information on the activities of Anonymous in Fergu- 
son, Missouri, go online to: https://www.stltoday.com/news/local/ 
crime-and-courts/not-so-anonymous-how-hackers-wreaked-havoc-in- 
st-louis/article_809a5d53-7d67-57ft-96f9-ee5772b395d0. html 


The Human Aspects of the Hacker Subculture 


In light of the various targets affected by hacks, it is necessary to understand 
the individuals responsible for these attacks (see Box 3.1 for details). Individuals 
who utilize hacks may be referred to as hackers, though this term has different 
meanings to different groups (Jordan & Taylor, 1998; Schell & Dodge, 2002; 
Taylor, 1999; Turkle, 1984). Individuals within the hacker community may 
argue that a person can only be a hacker dependent on their level of skill or 
interest in technology (Holt, 2007; Jordan & Taylor, 1998). Individuals in the 
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Box 3.1. The Jargon File Definition of Hacking 
Hacker: n 


http://catb.org/jargon/html/H/hacker.html 


1. A person who enjoys exploring the details of programmable systems and 
how to stretch their capabilities, as opposed to most users, who prefer to 


learn only the minimum necessary. 


The Jargon File provides a very distinct and well-accepted set of defi- 
nitions for what constitutes a hacker. The definition also recognizes the 
differences between a hacker who is motivated by curiosity and intellect 


relative to malicious intent. 


general public might often define a hacker, however, as a young, antisocial 
nerd who can only relate to others via their computer (Furnell, 2002; Schell & 
Dodge, 2002). They may also be viewed as misfits who are involved in criminal 
or illicit activities, or perhaps computer technicians within the public and pri- 
vate sector (Furnell, 2002; Schell & Dodge, 2002). 

Empirical studies conducted on the hacker community suggest that hackers 
are predominantly under the age of 30, although there are older hackers as well 
working in the security community (Bachmann, 2010; Holt et al., 2009; Jor- 
dan & Taylor, 1998; Weulen Kranenbarg et al., 2021; Schell & Dodge, 2002). 
Younger people may be attracted to hacking because they have greater access 
and exposure to technology, as well as the time to explore technology at deep 
levels. Older hackers appear to be gainfully employed, working primarily in the 
computer security industry (Bachmann, 2010; Weulen Kranenbarg et al., 2021; 
Schell & Dodge, 2002). Younger hackers may or may not be employed; some 
may be students in high school or universities. In fact, hackers tend to have a mix 
of both formal education and knowledge acquired on their own through read- 
ing and experiential learning (Bachmann, 2010; Holt, 2007; Holt et al., 2009). 
Limited evidence suggests that a proportion of skilled actors may have at least a 
community college education, while a small number have degrees from four- 
year institutions (Bachmann, 2010; Holt et al., 2008; Schell & Dodge, 2002). 

Hackers also appear to be predominantly male, though it is unknown what 
constitutes the true gender composition of the subculture (Gilboa, 1996; Jordan 
& Taylor, 1998; Steinmetz et al., 2020; Taylor, 1999). This is because most 
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hackers conceal their identities from others online and are especially resistant to 
being interviewed or participating in research studies (Gilboa, 1996; Holt, 2007; 
Steinmetz et al., 2020). Thus, it is difficult to identify the overall composition 
of the hacker community at any given point in time. 

There is also substantive evidence that hackers have a number of social 
relationships that influence their willingness to engage in different forms of 
behavior over time (Dupont et al., 2017; Leukfeldt et al., 2017). Peer rela- 
tionships often emerge online through involvement in forums, Internet Relay 
Chat (IRC) channels, and other forms of computer-mediated communication 
(Dupont et al., 2017; Jordan & Taylor, 1998; Steinmetz, 2015), though a por- 
tion may involve social relationships cultivated in the real world (Leukfeldt 
et al., 2017). This is true not only for those interested in legitimate hacking, 
but also for criminal hacks. In fact, recent research on international networks 
of individuals involved in phishing and malware schemes suggest that the actors 
depended on technical expertise cultivated from web forums where technically 
proficient hackers communicated (Dupont et al., 2017; Leukfeldt et al., 2017). 

These associations are invaluable as friends and relatives can provide mod- 
els to imitate hacks (Morris & Blackburn, 2009; Leukfeldt et al., 2017), posi- 
tive encouragement and praise for unique hacks, and justifications for behavior, 
including excuses and beliefs about the utility of malicious hacks (Bossler & 
Burruss, 2011; Morris, 2011; Skinner & Fream, 1997). In fact, many hackers 
deny any harm resulted from their actions (Brewer et al., 2020), or blame their 
victims for having inadequate computer skills or systems to prevent victimiza- 
tion (Brewer et al., 2020; Jordan & Taylor, 1998). 

There are many communities operating via CMCs across the globe for hack- 
ers at every skill level to identify others who share their interests. There are 
hacker-related discussions in social groups via IRC, forums, blogs, and other 
online environments (Holt, 2007, 2009a,b; Leukfeldt et al., 2017). Hackers 
have operated in bulletin board systems (BBSs) since the late 1970s and 
early 1980s to provide information, tools, and techniques on hacking (Meyer, 
1989; Scott, 2005). The content was posted in plain text and occasionally fea- 
tured images and art made from ASCII text, in keeping with the limitations of 
the technology at the time (see www.asciiworld.com for examples). These sites 
allowed asynchronous communications between users, meaning that they could 
post a message and respond to others. In addition, individuals hosted download- 
able content including text files and tutorials, though some also hosted pirated 


software and material, called warez (Meyer, 1989; for more on piracy, see 


Chapter 5). The BBS became an important resource for new hackers, since 
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experienced technology users and budding hackers could share detailed infor- 
mation about systems they explored and discuss their exploits (Landreth, 1985). 

The BBS allowed hackers to form groups with private networks based on 
password-protected boards intended to keep out the uninitiated and maintain 
privacy (Landreth, 1985; Meyer, 1989). Closed BBSs were initially local in 
nature based on telephone area codes, but changed with time as more individuals 
obtained computers and sought out others online. Local hacker groups grew to 
prominence as a result of BBSs based on their exploits and intrusions into sensi- 
tive computer systems, such as the Masters of Disaster and the Legion of Doom 
(Slatalla & Quittner, 1995). As a result, it is common for individuals to belong to 


multiple forums and websites in order to gain access to pivotal resources online. 


For more information on what hacker BBSs looked like in the 


1980s, go online to: http://hackers.applearchives.com/pirate-BBSs.html 


In addition to online relationships, hackers often report close peer associations 
with individuals in the real world who are interested in hacking (Holt, 2009a,b; 
Meyer, 1989; Schell & Dodge, 2002; Steinmetz, 2015). These networks may 
form in schools or through casual associations in local clubs. There are also local 
chapters of national hacker conferences, like the DefCon or DC groups (Holt, 
2009a). For example, local 2600 groups began to form around the publication 
of the underground hacker/phreaker magazine of the same name in the early 
1980s (2600, 2011). These chapters operate in order to bring interested individ- 
uals together to share their knowledge of computers and technology with others. 

Similarly, hacker spaces have emerged over the last decade as a way for 
individuals with knowledge of technology to come together in order to share 
what they know with others (Hackerspaces, 2021). There are now 2,413 hack- 
erspaces listed, with 996 marked as active and 362 as planned. They are often 
located in warehouses or large buildings rented by nonprofit groups in order to 
give individuals a chance to play with various technologies in an open and 
encouraging environment (Hackerspaces, 2021). This stimulates interest in 
technology and expands individual social networks to relate to a larger number 
of people who share their interests. 


For more information regarding hacker spaces, go online to: 


hee 
an 


www.hackerspaces.org/ 


fi 
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There are also a number of regional and national conferences in the United 
States and Europe focusing on hacking and computer security. They range from 
regional cons organized by local groups, such as PhreakNIC in Nashville, Ten- 
nessee, and CarolinaCon in Raleigh, North Carolina, to high profile organized 
meetings arranged by for-profit industries like DefCon. DefCon has been held 
since 1993 and is now one of the preeminent computer security and hacking 
conferences in the world (DefCon, 2021). The conference draws in speakers 
and attendees from law enforcement, the intelligence community, computer 
security professionals, attorneys, and hackers of all skill levels for discussions on 
a range of topics covering hardware hacking, phreaking, cryptography, privacy 
laws, and the latest exploits and vulnerabilities in everything from ATMs to cell 


phone operating systems (Holt, 2007). 


To learn more about DEF CON, go online to: https://defcon.org/ 
index.html 


Similar cons are held around the world, such as the Chaos Communication 
Congress (CCC), which is the oldest hacker conference in Europe. The CCC 
has been held since 1984 in various locations across Germany, with more than 
9,000 attendees in 2013 (Kinkade et al., 2013). Thus, cons play an important 
role in sharing information about technology and connecting hackers in the real 
world which might not otherwise happen in online environments. 


Hacking History 
1950s: The Origins 


In order to understand the hacker community, it is important to explain its 
historical evolution in the context of computing technology since its infancy in 
the late 1950s (see Table 3.1 for details). Some researchers argue that the term 
“hacking” emerged from engineering students at the Massachusetts Institute of 
Technology (MIT) in the 1950s (Levy, 2001). This phrase was used by students 
to refer to playful, but skilled, tinkering with electronics and was largely synon- 
ymous with “goofing off’ or “fooling around.” In fact, the MIT model railroad 
club (TMRC) used the term to describe their work on the club’s railroad sys- 
tems (Levy, 2001). They perceived hacking as a way to solve problems in spite 


of conventional techniques for engineering and electronics. 
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The emergence of computing in the 1950s in university settings like 
MIT, Cornell, and Harvard also facilitated the emergence of hacking. At 
the time, computing mainframes were massive systems encompassing whole 
climate-controlled rooms with relatively limited memory and overall process- 
ing power (Levy, 2001; see Box 3.2 for details). These devices were not linked 
together in any networked fashion as is the case with current computers, and 
individuals working with these systems had to develop their own unique solu- 
tions to problems experienced by programmers and users. Computer pro- 
grammers who managed the systems of the time were often pressed to find 
ways to speed up the otherwise slow processing of their mainframe comput- 
ers. The elegant and innovative solutions to these problems were referred to 
as “hacks,” and the programmers responsible were identified as “hackers” in 
keeping with the original concept as generated among the student body at 
MIT (Levy, 2001). 


Timeline of Computer Hacking 


Table 3.1 A timeline of notable events in the history of hacking 


1955 ¢ The first computer hackers emerge at MIT. Members try their hand in 
rigging the new mainframe computing systems being studied and developed 
on campus. 

1968 * The UNIX operating system is developed by Dennis Ritchie and Keith 
Thompson. 

1971 * Phone hackers or phreaks break into regional and international phone 


networks to make free calls. John Draper discovers that a toy whistle found 
inside a Cap’n Crunch cereal box generates a 2600 Hz tone. By building 
a “blue box” using the toy whistle, resulting in free calls, John Draper and 
other phreaks land feature story in Esquire Magazine entitled “Secrets of the 
Little Blue Box.” 

* The first email program is created by Ray Tomlinson. 

Microsoft is created by Bill Gates and Paul Allen. 


1975 
1976 


The Apple Computer is created by Steve Jobs, Stephen Wozniak, and Ron 
Wayne. 


1980-1982 | « Phone phreaks move into computer hacking. 

* Message boards called electronic bulletin board systems (BBSs) are created to 
exchange information and tactics with other phreaks. 

« Emergence of many hacking groups, including Legion of Doom and The 


Warelords in the United States, and the Chaos Computer Club in Germany. 


1981 * Tan Murphy becomes the first hacker to be tried and convicted as a felon for 


computer hacking. 


(Continued) 
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Table 3.1 A timeline of notable events in the history of hacking (Continued) 
1983 ¢ “War Games” sheds light on the capabilities that hackers could have. 


Generates fear among the public. 


“414” gang arrested for allegedly breaking into 60 computer systems from Los 
Angeles to Manhattan. As a result the story gets mass coverage and the US 


House of Representatives holds hearings to discuss cyber security. 


1984 


The Hacker Magazine or Hagazine called “2600” and the online zine Phrack 


a year later are created to give tips to upcoming hackers and phone phreaks. 


The Comprehensive Crime Control Act of 1984 is passed, giving the Secret 


Service jurisdiction over computer fraud. 


1985 


The first PC virus, called the Brain, is created. The virus used stealth 


techniques for the first time and originated in Pakistan. 


1986 


As a result of numerous break-ins on government and corporate computer 
systems, Congress passes the Computer Fraud and Abuse Act, which makes it 


a crime to break into computer systems. The law did not apply to juveniles. 


1988 The Morris Worm incident is caused by Robert T. Morris, the son of a 
Chief Scientist of a division of the National Security Agency, and a graduate 
student at Cornell University. Morris plants a self-replicating worm on the 
government’s Arpanet in order to test what effect it would have on the 
UNIX system. The worm spread and clogged 6,000 networked computers 
belonging to the government and the university. As a result, Morris was 
expelled from Cornell, given probation, and fined $10,000. 

The Computer Emergency Response Team (CERT) is created by DARPA 


(Defense Advanced Research Projects Agency), an agency of the United 


States Department of Defense responsible for the development of new 
technologies for use by the military. DARPA would address network 
security. 

1989 ¢ The Hacker’s Manifesto is published by “The Mentor” and the Cuckoo’s Egg 
is published by Clifford Stoll. 

Herbert Zinn becomes the first juvenile to be convicted under the Computer 
Fraud Act. 


1990 ¢ The Electronic Frontier Foundation is founded in order to protect and defend 


the rights of those investigated for computer hacking. 


Operation Sundevil commences, a prolonged sting operation where Secret 
Service agents arrested prominent members of the BBSs in 14 US cities 
during early-morning raids and arrests. The arrests were aimed at cracking 
down on credit card theft and telephone and wire fraud. This resulted in the 
breakdown in the hacking community, whereby members were informing on 


each other in exchange for immunity. 


1993 ¢ DefCon hacking conference held in Las Vegas to say goodbye to BBSs. 
Popularity of event resulted in a meeting every year thereafter. 
1994-2000 | « Emergence of the World Wide Web. Hackers adapt and transfer all 


information to web sites; as a result the face of hacking changes. 
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Table 3.1 A timeline of notable events in the history of hacking (Continued) 


1994 * Russian crackers siphon $10 million from Citibank and transfer money to 
bank accounts around the world, led by Vladimir Levin who transferred funds 
to accounts in Finland and Israel using his laptop. Levin was sentenced to 
three years in prison. All but $400,000 was recovered. 

1995 * Kevin Mitnik is charged with illegally accessing computers belonging 

to numerous computer software and computer operating system 
manufacturers, cellular telephone manufacturers, Internet service 
providers, and educational institutions. Mitnik was also responsible for 
the theft, copying, and misappropriation of proprietary computer software 
from Motorola, Fujitsu, Nokia, Sun, Novell, and NEC. Mitnick was 

also in possession of 20,000 credit card numbers once captured. Chris 

Pile becomes the first person to be jailed for writing and distributing a 


computer virus. 


1995 * AOHell, a freeware application that allows unskilled script kiddies to wreak 
havoc on America Online or AOL is released, resulting in hundreds of 


thousands of mailboxes being flooded with email bombs and spam. 


1996 ¢ Hackers alter the websites of the United States Department of Justice, 
the CIA, and the US Air Force. Reports by the General Accounting 
Office state that hackers attempted to break into Defense Department 
computer files approximately 250,000 times, 65 percent of which were 


successful. 


1998 « NASA, the US Navy, and universities across the country are targeted by 
denial of service attacks on computers running Microsoft Windows NT and 
Windows 95. 

Carl Fredrik Neikter, the leader of the Cult of the Dead Cow, releases the 


Trojan Horse program “Black Orifice,” which allows hackers remote access 


to computers once installed. 


1999 * Napster is created by Shawn Fanning and Sean Parker, attracting millions of 
users before being shut down in July of 2001. 

* The first series of mainstream security software is released for use on personal 
computers. 

* Bill Clinton announces a billion-dollar initiative to improve computer 
security and the establishment of a network of intrusion detection monitors 
for certain federal agencies. 

* The Melissa virus is released causing the most costly malware outbreak to 


date. 


The Cult of the Dead Cow releases an updated version of Black Orifice. 


2000 * Hackers launch Denial-of-Service (DoS) attacks, shutting down Yahoo, Buy. 
com, Amazon, eBay, and CNN. 
2001 * The Department of Energy’s computer system at Sandia National Laboratories 


in Albuquerque is compromised. 


Microsoft’s main server is hacked by DDoS attacks. 
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Table 3.1 A timeline of notable events in the history of hacking (Continued) 


2002 * Internal training and quality control campaign started by Bill Gates in order to 


insure the security of Microsoft. 


George W. Bush’s administration submits a bill that would create the 
Department of Homeland Security, which would have, as one of its many 
roles, the responsibility of protecting the nation’s critical information 


technology (IT) infrastructure. 


The CIA warns of an impending launch of cyberattacks on US computer 
networks by Chinese hackers funded by the Chinese government. 


”Shatter Attacks” is published by Chris Paget, showing how the Windows 
messaging system could be used to take control of a machine and questioning 


the security of the Windows system itself: 


2003 


Anonymous is formed. 


The United States Department of Commerce allows hacker groups to export 
encrypted software. 
2004 


Myron Tereshchuk is taken into police custody for an attempt to extort 


millions from Micropatent. 


North Korea claims to attempt to break into South Korea’s computer systems. 


2005 


Rafael Nunez, member of “World of Hell,” is taken into custody for cracking 


into the Defense Information Systems Agency. 


Cameron Lacroix is convicted for hacking into T-Mobile’s USA network. 


Jeanson James Ancheta, member of “Botmaster Underground,” is arrested 
by FBI. 


2006 


Kama Sutra, a worm specializing in destruction of data, is discovered and 
found to replicate itself through email contacts, disrupting documents and 


folders. The threat turned out to be minimal. 


Jeanson James Ancheta convicted for his role in hacking systems of the Naval 
Air Warfare Center and the Defense Information Systems Agency, sentenced 
to prison, and ordered to pay damages in addition to handing over his 
property. 

Iskorpitx hacks more than 20,000 websites. 


Robert Moore and Edwin Pena, hackers featured on America’s Most Wanted, 


are convicted and ordered to pay restitution. 


FairUse4WM is released by Viodentia, removing DRM from music service 


websites. 


2007 ¢ Estonia recovers from DDoS attacks. 


During Operation “Bot Roast,” the FBI locates over a million botnet victims; 
the second botnet operation uncovers a million infected computers, results in 


a loss of millions of dollars, and several indictments. 


Office of Secretary of Defense undergoes a spear-phishing scheme, resulting 
in the loss of US Defense information as well as causing communication and 
identification systems to be altered. 

The United Nations website is hacked. 


(Continued) 
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Table 3.1 A timeline of notable events in the history of hacking (Continued) 


2008 


* Project Chanology occurs on a Scientology website by Anonymous resulting 


in the loss and release of confidential information. 


2009 


* The Conficker worm hacks into the computer networks of personal 


computers and government. 


2010 


* “Operation Aurora”: Google admits to attacks on its infrastructure from 
China resulting in the loss of intellectual property. 

* Stuxnet worm discovered by VirusBlockAda, deemed to be a cyberattack on 
the nuclear facilities of Iran. 

* MALCON conference held in India, founded by Rajshekhar Murthy. Event 
gives an opportunity to display the techniques of malware coders from around 
the world. 


2011 


* The website of Bank of America is hacked by Jeopardy, who is accused of 
stealing credit card information by the FBI. 

* The PlayStation Network is compromised revealing personal information 
of its consumers, recognized as one of the largest data breaches to date. 


YouTube channel of Sesame Street hacked. 


Palestinian Territories’ internet networks and phone lines hacked from 


multiple locations around the world. 


2012 


¢ Hundreds of thousands of credit card numbers from Israel released by Saudi 
hacker named OxOmar. As a result Israel releases hundreds of credit card 
numbers from Saudi Arabia. 

* Team Appunity, a Norwegian hacker group, is taken into custody 
for releasing the user database for the largest prostitution ring in 
Norway. 

* Foxconn is hacked by Swagg Security, compromising information. 

* WHMCS and MyBB are hacked by UGNazi due to the use of its 
software. 

* Government sites including Farmers Insurance, MasterCard, and others 
are hacked by Swagg Security resulting in the release of personal 


information. 


2013 


* Burger King Twitter account is hacked by McDonald’s. 

* The Syrian Electronic Army attacked various media outlets because of articles 
they viewed as being sympathetic to Syrian rebel forces. 

* Chinese hackers attack the New York Times over a story published regarding 
China’s prime minister. 

* The Montana Emergency Alert System was hacked and broadcast messages 


regarding a zombie apocalypse. 


Target and other retailers are compromised by Point of Sale (PoS) malware 
that steals tens of millions of customer records leading to the largest data 
breaches on record. 


« Anonymous hacked the official Twitter and Flickr accounts of North Korea 


to post mean messages about Kim Jong-un. 


(Continued) 
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Table 3.1 A timeline of notable events in the history of hacking (Continued) 


2014 


* Sony Pictures is hacked by a hacker group called the Guardians of Peace. 
They dump substantial quantities of intellectual property and sensitive email 
exchanges online and threaten violence if the film The Interview is not pulled 


from theaters. 


A vulnerability in the OpenSSL software used to encrypt online 
communications is identified, called Heartbleed. It allows users to capture 


sensitive data from web servers with little to no detection. 


Multiple retailers and financial service providers are hacked, including J. P. 


Morgan Chase and Home Depot. 


Evidence emerges that the United States and United Kingdom are responsible 
for the release of malware called Regin that surreptitiously collects data from 
infected systems, and is viewed as the most sophisticated espionage malware 


created to date. 


Major celebrities were the target of a phishing scheme to acquire their Apple 
iCloud usernames and passwords in order to gain access to their personal 
photos and videos. Several high profile female celebrities’ nude photos were 


released online. 


2015 


¢ The website Ashley Madison, designed to facilitate extramarital affairs, is 


hacked by the “Impact Team” who leak their customer database online. 


The Ukraine’s power grid is compromised by hackers, coinciding with 


Russian incursions into the country to seize territory. 


The US Office of Personnel Management (OPM) was compromised leading 
to a breach of over 21 million individuals’ personal data, particularly their 
security clearance information and fingerprint details. Experts speculate it was 
performed by Chinese hackers as none of the information acquired was resold 


to others. 


Anthem Health Care, a major insurance provider in the United States, was 
compromised by hackers leading to the loss of 80 million customers’ sensitive 


information. 


2016 


* Yahoo revealed that a series of compromises occurred since 2013 leading to 
the loss of 500 million users’ data. 


The 2016 Democratic National Committee is hacked by someone using 


the handle Gucifter 2.0. The information acquired from the hack, including 
sensitive email exchanges, are posted online by Wikileaks. The US 
government declares this hack was enabled by the Russian government as part 


of a larger campaign to affect the US elections. 


A hacker group calling itself the Shadow Brokers tried to sell hacking tools 
and programs they acquired from an NSA hacking team, sometimes referred 


to as the Equation Group. 


Major websites, including Netflix, undergo a DDoS attack using Internet 
of Things (loT) devices, such as wireless security cameras, infected by Mirai 


botnet malware. 


(Continued) 


85 


Computer Hackers and Hacking 


86 


Table 3.1 A timeline of notable events in the history of hacking (Continued) 


2017 ¢ The WannaCry ransomware attack affects individuals and organizations 
around the world. 

* NotPetya malware identified in the Ukraine causes damages to corporations 
across Europe, and various parts of the world, and is thought to have been 
generated by Russian state actors. 

* The organization Equifax is compromised by hackers, leading to the loss of 


credit records for more than 140 million US citizens. 


2018 * Ransomware infections targeting Atlanta, Georgia slows their ability to do 


basic business for days. 


Facebook was hacked, leading to the loss of personal information for over 

30 million users, including sensitive information. 

* The United States indicts two men for their active use of SamSam 
ransomware, which is thought to have caused more than $30 million in 
damages to victims. This is the first such prosecution in the United States. 

2019 * Healthcare companies Quest Diagnostics and LabCorp were affected by a 
data breach leading to the loss of millions of customers’ medical, financial and 
personal information. 

* Cities across the United States are targeted by ransomware leading to huge 
losses for municipalities of all sizes. 

* Mobile game manufacturer Zynga was hacked which led to the loss of over 
218 million user credentials. 

* Anonymous takes responsibility for hacking four Chinese databases in support 


of Hong Kong’s protests against Chinese political pressures in the country. 


2020 * Beauty company Estee Lauder was compromised by hackers, leading to 
the loss of 440 million pieces of information. It is though that hackers had 
backdoor access to the system for some time and released all manner of 
internal corporate documents as well. 

* The cellular service provider Pakistani Mobile had 99 million user accounts 
posted online for sale by hackers, though it is unclear how long ago the actual 


hack may have occurred. 


Russian and Chinese nation-state hackers attempted to breach medical 

companies in Europe and the US in an attempt to acquire plans for 

COVID-19 vaccination formulations. 

* Anonymous is thought to have hacked multiple US police departments to acquire 
police data in the wake of the death of African American suspects in police custody. 

* US-based IT services provider SolarWinds was hacked, leading to the 

compromise of major companies and US government agencies, making it the 


potentially worst hack of all time. 


The above information was accessed from: 

1 http://steel.lcc.gatech.edu/~mcordell/lcc6316/Hacker%20Group% 20Project%20FINAL.pdf 
2 http://en.wikipedia.org/wiki/List_of_security_hacking_incidents 

3 http://edition.cnn.com/2001/TECH/internet/11/19/hack.history.idg/index.html 


4 www.symantec.com/about/news/resources/press_kits/securityintelligence/media/SSR-Timeline. pdf 
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Box 3.2 Mainframe Computing Systems 


Hello MAUI, Goodnight Mainframe 


http://now.uiowa.edu/2013/03/hello-maui-goodnight-mainframe 


What’s a mainframe? Sometimes called “big iron,” a mainframe is a 
large-scale computer that can support thousands of users simultane- 
ously and run vital operations reliably and securely. The mainframe 
probably got its name from massive metal frames that once housed it, 


often occupying thousands of square feet. 


This article describes the early phases of mainframe computing and the 


eventual transition from these room-sized devices to the laptops of today. 


For more information on the history of hacking at MIT, go online 
to: http://tmrc.mit.edu/hackers-ref. html 


1960s and 1970s: The Hacker Ethic 


The perception of the hacker as a skilled programmer and tinkerer continued 
through the 1960s. The social upheaval and civil unrest experienced during this 
decade, however, would affect the ways that hackers viewed their relationship 
to technology and the larger world. As computer technology moved from uni- 
versities into military applications, the number of programmers and “hackers” 
began to expand. As a consequence, a culture of programmers emerged based 
on a series of ideas called the hacker ethic by Steven Levy (2001): 


= 


Access to computers — and anything that might teach you something about 
the way the world works — should be unlimited and total. 


i) 


All information should be free. 


ic) 


Mistrust authority — promote decentralization. 


fs 


Hackers should be judged by their hacking, not bogus criteria such as degrees, 


age, race, or position. 


on 


You can create art and beauty on a computer. 


an 


Computers can change your life for the better. 
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Though these six ideas are interrelated, the core belief within the hacker 
ethic is that information should be open and free to all so that individuals can 
understand how things work and identify ways that they could be improved 
(Thomas, 2002). 

The importance of transparency through technology became even more 
salient in the 1970s with the introduction of two activities: phreaking and 
homebrew computing. The emergence of phone phreaking, or tampering with 
phone technology to understand and control telephone systems, was espoused 
by elements of the 1960s and 1970s counterculture movement (Landreth, 
1985; Wang, 2006). Individuals like Abbie Hoffman, an activist and protestor 
who wrote Steal This Book, advised people to engage in phreaking as a way to 
strike out against telephone companies for profiteering from a wonderful ser- 
vice. Hoffman and other groups wanted people to phreak because they could 
make free calls to anyone in the world by controlling telephone system switches 
through various devices and tones. The novel application and manipulation of 
telephony through phreaking led this activity to be the first form of hacking to 
gain a broader audience outside of traditional computing. 

The act of phreaking gained national attention in the mainstream media 
through an article published in Esquire magazine on John Draper and various 
other “phreaks” in 1971 (Wang, 2006). Subsequently, law enforcement and 
telephone security began collaborative crackdowns to eliminate phreaks from 
penetrating telephony. The absence of laws pertaining to the exploration and 
manipulation of computers and telephony made it difficult for police agencies 
until the late 1970s, when the first legal statutes were developed (Wang, 2006). 
In fact, one of the first computer crime laws in the United States was passed in 
Florida in 1978 making all unauthorized access to computer systems a third 
degree felony (Hollinger & Lanza-Kaduce, 1988). 


For more information on blue boxes and phreaking, go online to: 
http://www.lospadres.info/thorg/lbb. html 


The 1970s also saw the emergence of hobbyist groups focused on the 
development of computer hardware and software. These groups operated 
through informal meetings run in garages and other settings to facilitate con- 
versations on the design and construction of personal computers (PCs). These 
hobbyists often used a combination of commercial computer kits sold through 


magazines, as well as their own innovative designs and “hacks” of existing 
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resources. Their practices helped to advance the state of personal computing, 
though they did not typically refer to themselves or their activities as hacking 
(Ceruzzi, 1998). 


1980s: PCs, Entertainment, and the Hacker Manifesto 


The adoption of PC technology was initially slow, and did not take hold until 
the early 1980s when middle income families began to purchase computers. The 
concurrent explosion of video games and home electronic entertainment systems 
exposed young people to technology as never before. Young people, particularly 
males, were increasingly attracted to these devices and began to explore and use 
computers beyond their advertised value as learning tools. Similarly, modem 
technology, which connects computers to other computers and networks via 
telephone lines, improved and became accessible to the common home user. 
Individuals who had never before had access to computer technology could now 
identify and explore connected computer networks (Furnell, 2002). This led to 
the rise of the BBSs culture where local groups and hackers across the country 
could connect and share information with others (Slatalla & Quittner, 1995). At 
the same time, a growing underground media began to publish homemade mag- 
azines on computers, hacking, and phreaking, such as Phrack and 2600. These 
publications helped to propel individual interests in hacking and connect the 
burgeoning computer-using community together. 

The increasing popularity of technology in the general public led to increased 
media attention around computers and youth. This was due, in part, to the the- 
atrical release of the movie WarGames, which featured a teenage hacker played 
by Matthew Broderick who unsuspectingly gains access to military computer 
systems and nearly causes a nuclear holocaust (Schneider, 2008). The film piqued 
the curiosity of some youth and increased interest in hacking and computer use 
in general (see Box 3.3 for details). 

Media outlets quickly published stories on malicious hacker groups in order 
to capitalize on the public interest in computer misuse stemming from the film 
(Marbach, 1983a,b). For instance, the Federal Bureau of Investigation (FBI) 
began raiding and filing suits against the members of a local group of hackers 
known as the “414s” based on their Milwaukee area code (Krance et al., 1983). 
The teen boys compromised protected networks but did not cause harm to 
systems or data (Hollinger & Lanza-Kaduce, 1988). Their acts drew attention 
from both federal law enforcement and the media to the growing perceived use 


of hacking for criminal purposes. Thus, this marked a distinct divergence in the 
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Box 3.3. A Hacker Talks about WarGames 


When WarGames came out, that was probably the biggest boon 
to the modern hacker that there ever was. Because right after that 
war dialers came out ... programs that you could download to your 
computer that were all over the BBS that you could download that 
would call up people’s computers and just look for modem tones. 
And then, they’d record the greetings that the computers gave. 
Everybody was friendly back then so when you dialed into a com- 
puter, it gave you the identification of who the computer was and... 
if it was governmental or something like that. It would either tell 
you, you know this is so and so’s computer or simply would not tell 
you anything and that would be a flag that hey, this is, you know, is 
something worth looking at. If it just asked you for your username 
and password, then maybe I need to go in here. Most of ‘em didn’t 
even ask for usernames. They just wanted passwords ... So you start 
doing things and when I got my first modem, WarGames came out 
as a movie and I saw all these dialers and I thought you know, this 
is cool. And so you download one of the dialers and you run it. 
You check every phone number in your neighborhood and after 
it had checked for five days and like come up with four numbers 
or whatever and you would take those numbers and call ‘em and 
you would get the greeting protocols. And from that point in time 
you'd bring in your second program which was just, it would dial 
up, connect, and then it would randomly generate a password. Try 
to get through and it would keep doing it ... so you would take this 
wardialer and you would tell it, ok ’'m going to dial every phone 
number in there looking for a modem and hang up. And you know 
if I don’t get a modem in so much time, hang up, go to the next 
one. So the people think they get a hang-up phone call, it’s annoy- 
ing, but that’s it. When you finally do get one, it sends across its 
I-identification which was usually a welcome greeting, “welcome 
to blah-blah blah-blah-blah” and... it would record that and then 
you'd go through at the end of, you know, after you'd let it sit for 
however long it took to go through that exchange and for the ten 
thousand numbers in the exchange it might take eight hours. You’d 
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come back at the end of eight hours you’d look at all your greetings 
and see if any of “em were what you were looking for. Once you 
knew they were what you were looking for then it was a matter of 
brute forcing the passwords. 


(Interview conducted with Mac Diesel by Thomas J. Holt) 


concept of hacking and hackers from the notion in the 1950s and 1960s of eth- 


ical computer tinkerers to a more criminal orientation. 


For more information on 1980s hacker groups and cyber gang 


warfare caused by racism, go online (caution: racist language, 


including the N-word, appears in the article) to: http://archive. 
wired.com/wired/archive/2.12/hacker_pr.html 


The criminalization of hacking and the growing schism in the hacker com- 
munity was exacerbated by the publication ofa brief text called The Conscience of a 
Hacker, or The Hacker Manifesto (Furnell, 2002). The document was written by 
“The Mentor” in 1986 and first published in the magazine Phrack. The Men- 
tor railed against adults, law enforcement, and schools, arguing that hackers seek 
knowledge even if that means breaking into or gaining access to protected computer 
systems. These activities do not make hackers criminals according to the Mentor, 
but rather misunderstood and unappreciated by adults who have no conception 
of the value of technology. He also encouraged hackers to engage in phreaking 
because telephone companies were “run by profiteering gluttons.” This document 
supported some of the criminal aspects of hacking that were in opposition to the 
1960s conception of hacking and the broader hacker ethic. As a consequence, a 
rift began to form between hackers based on their support of either the Manifesto 
or the hacker ethic, as well as their perception of malicious and exploratory hacks. 

In fact, there are two terms that are used by some to attempt to differentiate 
between hackers who seek to harm or destroy systems and those who do not. 
The term crack emerged within the hacker subculture to recognize and sepa- 
rate malicious hacks from those acts supported by the hacker ethic (Furnell, 
2002; Holt, 2010). Those who engage in deviant or criminal applications of 


hacking could be labeled as crackers since true hackers consider destructive 
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hackers to be “a lower form of life” (Furnell, 2002). Thus, the act of cracking is 
thought to be different from hacking based on the outcome of the attack and 
not the techniques applied by the actor. 


For the full text of the Hacker Manifesto, go online to: www.phrack. 
org/issues/7/3.html#article 


The criminalization of hacking continued through the creation of the fed- 
eral Counterfeit Access Device and Computer Fraud and Abuse Act (CFAA) 
of 1984, and its subsequent revision in 1986. The 1984 law initially focused on 
the use and abuse of credit card information and established that any criminal 
incident involving $5,000 of loss or more was a federal offense to be handled 
by the Secret Service (Hollinger & Lanza-Kaduce, 1988). The 1986 revision of 
this act, however, expanded legal protections to all computerized information 
maintained by banks and financial institutions. 

Furthermore, the law added three new violations: (1) unauthorized access to com- 
puter systems with the intent to defraud; (2) unauthorized access with intent to cause 
malicious damage; and (3) the trafficking of computer passwords with the intent to 
defraud (Taylor et al., 2010). These laws not only codified criminal applications of 
hacking, but also aftorded police agencies with better tools to prosecute the activities 
of hackers across the country (Hollinger & Lanza-Kaduce, 1988; Sterling, 1992;). In 
turn, multiple high profile law enforcement investigations developed during the late 
1980s and early 1990s, such as the pursuit of Kevin Mitnick (Shimomura & Markoff, 
1996; see Box 3.4 for details) and Kevin Poulsen (Littman, 1997). 

As technology became increasingly user friendly and affordable in the early 
1990s, the hacker population continued to expand. The hacker subculture 
became more segmented based on the use of perceived unethical hacking tech- 
niques by the increasing number of young hackers (Taylor, 1999). For instance, 
modern hackers would typically attempt to gather internal documents after 
accessing a system, both for bragging rights and to allow for the free exchange of 
information through the hacker network. This desire to spread information and 
discuss attack techniques afforded a mechanism for law enforcement to gather 
evidence of illegal activities (Holt, 2007). As a consequence, the free exchange 
of information within the hacker community began to evolve into trying to 
diminish the likelihood of detection and prosecution (Kilger, 2010; Taylor, 
1999). Local hacker groups began to support conferences on the topic of hack- 
ing in the United States, including DefCon, Hackers On Planet Earth (HOPE), 
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Box 3.4 The Criminal Exploits of Kevin Mitnick 
Mitnick Speaks! 


www.forbes.com/1999/04/05/feat.html 


FORBES.COM [F]: How would you characterize the media coverage of 
you? 

MITNICK [M]: When I read about myself in the media even I don’t 
recognize me. The myth of Kevin Mitnick is much 
more interesting than the reality of Kevin Mitnick. If 
they told the reality, no one would care ... 


In this article, Kevin Mitnick discusses his hacks and his life during incar- 
ceration for violations of the Computer Fraud and Abuse Act. He also 
discusses his thoughts on the post-release conditions he would have to live 


with once he completed his prison sentence. 


and PumpCon. Similar conferences have been held since the mid-1980s in Ger- 
many, such as the Chaos Communication Congress (CCC), which began 
in 1984 in Hamburg, then moved to Berlin in 1998 (Kinkade et al., 2013). 
These meetings afforded the opportunity to connect in the real world and gave 
the hacker population an air of respectability in the face of increasing criminal 


prosecutions of hacker groups (Holt, 2007). 


1990s: Affordable Technology, the Computer Security 
Community, and Financial Gain 


At the same time, the computer security community began to emerge in the 
1990s with the incorporation of skilled hackers who understood the process of 
identifying and securing vulnerable software and hardware. This created a new 
tension within the hacker community between supposedly ethical hackers who 
worked for private industry and unethical hackers who used the same tech- 
niques to explore and exploit systems (Jordan & Taylor, 1998; Taylor, 1999). 
Some felt this was an important transition back to the origins of the hacker 
ethic, while others viewed the change from hacker to security professional as a 
process of selling out and betraying the very nature of open exchange within the 
hacker community (Taylor, 1999). 
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The prosecution and detention of Kevin Mitnick exacerbated this issue in 
the mid-1990s. Mitnick was viewed as a hero by the hacker community because 
of his substantial skill and the overly harsh treatment at the hands of law enforce- 
ment and prosecutors (Taylor et al., 2010). In fact, federal prosecutors barred 
Mitnick from using a computer or Internet-connected device for several years 
after his release from a federal prison due to fears that he might cause substantial 
harm to telephony or private industry (Painter, 2001). Many hackers donated to 
Mitnick’s legal defense fund and felt that he was a scapegoat of fearmongering 
by legislators and law enforcement (Taylor et al., 2010). Shortly after his release 
from prison, Mitnick began a computer security consulting business and angered 
those in the subculture who viewed this as a betrayal of the basic principles of 
the hacker community. As a result, he lost a good deal of respect but provided 
a model for others to transition from hacker with a criminal past to security 
insider in an increasingly technologically driven society. 


For more information on Mitnick’s prison experience, go online 
to: www. youtube.com/watch?v=lJFCbrhLojA 


By the late 1990s, the World Wide Web and PC had radically altered the 
nature of business and communications. The global expansion of connectivity 
afforded by the Internet led to the digitization of sensitive financial and gov- 
ernment information and massive databases accessible online. Financial service 
providers and business platforms moved to online environments to offer services 
directly to home computer users, offering convenient modes of communica- 
tion and shopping. As a consequence, the landscape and dynamics of computer 
hacking and the computer security industry changed. 

The motives for hacking also shifted during this period from acquiring status 
and acceptance from the social groups that dominated hacking in the 1980s and 
1990s toward economic gain (Chu et al., 2010; Kilger, 2010; Holt and Lampke, 
2010). The complexity of the tools used by hackers increased, and their func- 
tionality changed from infecting and degrading global networks to attacking and 
stealing sensitive information surreptitiously. In fact, the problem of phishing, 
where consumers are tricked into transmitting financial information into fraud- 
ulent websites where the information is housed for later fraud, grew in the late 
1990s and early 2000s (James, 2005; Wall, 2007). These crimes are particularly 
costly for both the individual victim and financial institutions alike. Accord- 
ing to the Anti-Phishing Working Group (2021), there were 199,120 unique 
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phishing websites that were detected in December 2020 alone, which was a 
decrease from the previous two months (October: 225,304; November: 212, 
878). In addition, over 500 brands were targeted in December 2020 as part of 
phishing campaigns. 

During this time, individuals began to apply hacking techniques and skills 
in attacks based on political and social agendas against government and private 
industry targets. For instance, members of the hacker collective, the “Elec- 
tronic Disturbance Theater,” created and released an attack tool called Flood- 
Net (Denning, 2010; Jordan & Taylor, 2004). This program was designed as a 
standalone tool to enable unskilled actors to engage in denial of service attacks 
against various government services as a form of “civil disobedience” (Cere, 
2003; Schell & Dodge, 2002). Such an attack keeps individuals from being able 
to use communications services, thereby rendering them useless. This tool was 
first employed in an attack against the Mexican government because of their 
treatment of Zapatista separatists who were fighting against what they perceived 
to be governmental repression (Denning, 2010). See Box 3.5. 

Similarly, hackers in India and Pakistan engaged in a series of defacement 
attacks over a four-year period from 1998 to 2001 due to the use of nuclear 
weapons testing and development in India (Denning, 2010). Web defacements 


Box 3.5 The Electronic Disturbance Theater 
and Cyberattacks 


Tactical Poetics: FloodNet’s Virtual Sit-ins 


http://rhizome.org/editorial/2016/dec/01/tactical-poetics-floodnets- 


early-1990s-virtual-sit-ins/ 


It was a simple Java applet designed to rapidly reload a given webpage, 
but in the hands of these artists, it became a powerful “weapon of 
collective presence” and conceptual artwork — an exercise in “tactical 


poetics. 


In this essay, the role of FloodNet as a tool of protest and its association 
to the corporeal and virtual is discussed in detail. Examining the use of 
FloodNet as a tool for attacks in the 1990s demonstrates the thoughtful 


nature of hacking depending on the motive of the attacker. 
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Box 3.6 The Ongoing Conflict Between Indian 
and Pakistani Hackers 


Hackers from India, Pakistan in Full-Blown Online War 


http://www.gadgetsnow.com/tech-news/Hackers-from-India-Pakistan- 
in-full-blown-online-war/articleshow/44766898.cms 


Even as gunfire continues to be traded across the Indo-Pak border, a 
full-blown hacking and defacement war has erupted in cyberspace. On 
Thursday, over a dozen Indian and Pakistani websites were defaced by 
hackers from either side of the fence. 


In this article, the various attacks between hacker crews in both India and 
Pakistan are detailed. This includes targeted defacements against govern- 
ment, industry, and educational institution websites, due in part to physi- 
cal conflict between the two nations. 


allow an actor to replace the original web page with content of their own 
design, including text and images. Such an attack is an ideal mechanism for 
politically motivated attackers to express their attitudes and beliefs to the larger 
world. Thus, the number of defacements dramatically increased during this 
period as more countries became connected to the Internet and saw this envi- 
ronment as a means to express their political and religious ideologies (Denning, 
2010). To understand how hacking is used as a method for both legitimate and 
malicious activities that affect individuals and governments around the world, it 
is necessary to examine the modern hacker subculture and its influence on 
structuring the hacker identity. See Box 3.6. 


For more information on web defacements, go online to: www. 


Dy 
ial 


zone-h.org/ 


The Contemporary Hacker Subculture 


The activities of hackers are driven, in large part, by the values and beliefs of the 


current hacker subculture. Three primary norms within the hacker community 


have been identified across multiple studies: (1) technology; (2) knowledge; and 
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(3) secrecy (Holt, 2007; Jordan & Taylor, 1998; Meyer, 1989; Steinmetz, 2015; 
Taylor, 1999; Thomas, 2002). These norms structure the activities and interests of 
hackers regardless of their involvement in ethical or malicious hacks; they are highly 


interconnected and important in understanding the overall hacker subculture. 


Technology 


The act of hacking has been directly and intimately tied to technology since the 
development of the term “hack” in the 1950s (Holt, 2007; Jordan & Taylor, 
1998; Meyer, 1989; Steinmetz, 2015; Taylor, 1999; Thomas, 2002). The inter- 
ests and activities of hackers center on computer software and hardware, as well 
as associated devices like electronics, video games, and cell phones (Holt, 2007; 
Jordan & Taylor, 1998; Turkle, 1984). These interests are interrelated, as under- 
standing of hardware can improve an individual’s understanding of software and 
vice versa. Thus, an individual’s connection to technology and their sense of 
ownership over the tools of their “craft” (Steinmetz, 2015) increases their ability 
to hack (Holt, 2007; Jordan & Taylor, 1998; Taylor, 1999; Thomas, 2002). 

To generate such a connection, hackers must develop a deep appreciation 
of computers and be willing to explore and apply their knowledge in new ways 
(Jordan & Taylor, 1998). Hackers must be curious and explore technology often 
through creative play with devices, hardware, and software. For instance, one 
of the most well-known hackers is John Draper, also known as Cap’n Crunch. 
He was very active in the 1970s and 1980s in the hacker community and is 
known for having blown a giveaway whistle found in a box of Cap’n Crunch 
cereal into his phone receiver (Furnell, 2002; Wang, 2006). The whistle created 
the perfect 2600 Hz tone that was necessary to enable an individual to connect 
to long distance lines at that time. Such an act of hacking the telephone system 
is known as phreaking, combining the notion of “phone” and “hacking” 
together (Furnell, 2002; Holt, 2010; Wang, 2006). Draper’s unique application 
of phreaking knowledge through the use of a simple children’s toy garnered a 
great deal of respect and attention from the phreaking community and popular 
media. In turn, this act demonstrates the importance of exploration and creativ- 
ity in the hacker community. 

The importance of technology for hackers often emerges early in youth. 
Many who become involved in the hacker community report developing an 
interest in technology at an early age. Many hackers report gaining access to 
computers in their early teens or even younger (Bachmann, 2010; Holt, 2007). 


Simply utilizing computers in public cafes and schools can also help pique a 
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hacker’s interest in technology (Holt, 2010). Identifying peers who share their 
affinity for technology on or offline is also extremely valuable because it helps to 
maintain their interests. Hackers maintain loose peer associations with individ- 
uals in online environments that may be useful in the development of their skill 
and ability (Dupont et al., 2017; Holt, 2009a,b; Holt & Kilger, 2008; Leukfeldt 
et al., 2017; Schell & Dodge, 2002; Taylor, 1999). 


Knowledge 


The central importance of technology in this subculture drives individuals to 
have a deep commitment to having knowledge and mastery of a variety of 
technological tools, including hardware and software (Meyer 1989, Holt, 2007; 
Steinmetz, 2015; Thomas 2002). Hackers spend a significant amount of time 
learning about technology in order to understand how devices work at deep 
levels. The hacker community stresses that individuals need to learn on their 
own rather than ask others to teach them how to do things (Holt, 2007; Jordan 
& Taylor, 1998; Taylor, 1999). Though social connections provide access to 
information and accumulated knowledge, the idea of being a hacker is driven 
in part by curiosity and experiential knowledge that can only be developed 
through personal experience. 

An individual interested in hacking cannot simply ask others to teach them 
how to hack (Holt, 2007; Jordan & Taylor, 1998; Taylor, 1999). Such a request 
would lead to a person being ridiculed or mocked and embarrassed publicly by 
others. Instead, most hackers learn by spending hours every day reading manu- 
als, tutorials, and forum posts in order to learn new things (Holt, 2007, 2009a; 
Jordan & Taylor, 1998; Taylor, 1999). Hackers also belong to multiple forums, 
mailing lists, and groups in order to gain access to resources and information 
(Dupont et al., 2017; Holt, 2007, 2009a; Holt & Kilger, 2008; Meyer, 1989; 
Taylor, 1999). The increasing importance of video sharing sites has also ena- 
bled people to create tutorials that describe in explicit detail and demonstrate 
how to hack. For instance, Turkish hackers regularly post videos on YouTube 
and hacker forums that explain in detail how certain hacks work so that they 
can help others learn about technology (Holt et al., 2017. Constant changes in 
technology also require hackers to stay on the cutting edge of innovations in 
computer hardware and software in order to improve their overall understand- 
ing of the field. 

Individuals who can apply their knowledge of technology in a practical fash- 


ion often garner respect from others within the subculture (Holt et al., 2017). 
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The hacker subculture is a meritocracy where individuals are judged on the basis 
of their knowledge of computer hardware and software. Those with the greatest 
skill have the most status, while those with little to no ability but a desire to hack 
receive the least respect from others. Hackers who create new tools, identify 
unknown exploits, and find novel applications of technology often generate 
media attention and respect from their peers in forums and blogs (Dupont et al., 
2017). Demonstrations of technological mastery provide cues that they are a 
hacker with some skill and ability (Holt et al., 2017). By contrast, individuals 
who engage in poorly executed hacks or have minimal skills but try to brag 
about their activities can be ostracized by others (Dupont et al., 2017; Holt, 
2007; Jordan & Taylor, 1998; Meyer, 1989; Steinmetz, 2015). 

One of the most salient demonstrations of mastery of technology can be seen 
at cons, where individuals can compete in hacking challenges and competitions. 
For example, DefCon and some regional cons hold Capture the Flag (CTF) 
competitions where hackers compete against each other individually or in teams 
to hack one another, while at the same time defending their resources from 
others. This demonstrates the dual nature of hacking techniques for both attack 
and defense. Many cons also hold trivia competitions with questions about 
computer hardware, software, programming, video games, and the exploits of 
well-known hackers. These games allow individuals to demonstrate their under- 
standing and connection to the social history of hacking, as well as their techni- 
cal knowledge. The winners of these competitions are usually recognized at the 
end of the con and are given prizes for their accomplishment. Such recognition 
from the general public helps to validate an individual’s knowledge and skill and 


demonstrate their mastery over social and technical challenges (Holt, 2009a). 


For more information on CTFs, go online to: www.youtube.com/ 


watch?v=giAe7wU4r2o0 il es 


The importance of knowledge is also reflected in the way that hackers refer 
to individuals within the hacker subculture, as well as those who operate out- 
side of it (Furnell, 2002; Holt, 2007, 2010; Jordan & Taylor, 1998; Taylor, 
1999). There are a variety of terms that are used to describe hackers. Individuals 
who are new to hacking and have minimal knowledge of technology may be 
referred to as a noob or newbie (Holt, 2010). This may be used derogatorily 
in order to embarrass that person, although many simply identify themselves as 


noobs in order to clearly delineate the fact that they may not know much about 
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technology. Regardless, those who are considered noobs generally have no sta- 
tus within the hacker community (Furnell, 2002; Holt, 2010). 

As hackers learn and gain an understanding of computer software and hard- 
ware, they may attempt to apply their knowledge with limited success. One 
of the key ways that a person may hack early on involves the use of tools and 
kits found on hacker websites and forums (Bachmann, 2010; Furnell, 2002; 
Holt, 2010). The proliferation of hacker tools over the last two decades has 
made it relatively easy for individuals to engage in various hacks because these 
resources automate the use of exploits against known vulnerabilities. The ability 
to quickly and easily hack a target is enticing for individuals who are new to the 
subculture because they may feel such an act will garner status or respect from 
others (Furnell, 2002; Holt, 2007; Holt et al., 2017; Taylor, 1999). They do 
not, however, understand the way that these tools actually affect computer sys- 
tems so their attacks often fail or cause greater harm than initially intended. As 
a consequence, many within the hacker subculture use the term script kiddies 
to refer to such individuals and their acts (Furnell, 2002; Holt, 2007, 2010; Tay- 
lor, 1999). This derogatory term is meant to shame individuals by recognizing 
their use of premade scripts or tools, their lack of skill, and the concurrent harm 
that they may cause. In addition, older members of the hacker community may 
also refer to noobs or script kiddies as lamers or wannabees, referencing their 
limited capacity and skills (Furnell, 2002). 

Those hackers who spend a great deal of time developing a connection to 
technology and robust understanding of computers may be able to demonstrate 
that they are more than just a noob or script kiddie (see Holt, 2010). Eventually, 
they may be able to demonstrate enough capacity to be viewed as a hacker, or 
even leet (1337), by others in the subculture. There is no single way, however, 


” 


to determine when a person is “officially” considered a hacker or leet (Holt, 
2007). For instance, some people may not refer to themselves as hackers because 
they feel that being a hacker is something that others must apply to you, rather 
than something you can bestow upon yourself (Holt, 2007). Thus, they may 
simply allow others to call them a hacker rather than use the term on their own. 
Others argue becoming a hacker is based on experience, such that you are only 
a hacker after you can use various programming languages, repair your own 
computer, and create your own tools and scripts (Holt, 2007; Taylor, 1999). 
Within the community of skilled hackers, some use the terms white hat, 
black hat, or gray hat to refer to an actor based on the way that they apply 
their knowledge (see Furnell, 2002; Holt, 2007, 2010; Thomas, 2002). White 
hats are thought to be “ethical” hackers who work to find errors in computer 
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systems and programs to benefit general computer security (Furnell, 2002; Holt, 
2007, 2010). Black-hat hackers use the same techniques and vulnerabilities in 
order to gain access to information or harm systems (Furnell, 2002; Holt, 2007, 
2010). Thus, black hats may sometimes argue that they are no different from 
white hats; instead it is a perceptual difference among security professionals 
(Holt, 2007). Gray-hat hackers fall somewhere between these two camps, as 
their motives shift or change depending on the specific situation (Furnell, 2002; 
Holt, 2010). The ambiguous nature of hacker ethics, however, makes it difficult 
to clearly identify when someone is acting purely in a black or white context. 
The use of a term like gray hat is used to identify the ethical flexibility and 
lack of consistency in individual hackers’ actions (Furnell, 2002; Holt, 2007, 
2010; Jordan & Taylor, 1998). A gray-hat hacker may use their knowledge for 
beneficial purposes one day, while breaking into a computer system to steal 
information the next day. Thus, there is significant variation in the actions of 
skilled hackers. 


Secrecy 


The importance hackers place on demonstrations of knowledge and deep com- 
mitment to technology creates a unique tension within the hacker subculture: 
the need for secrecy (Jordan & Taylor, 1998; Taylor, 1999; Thomas, 2002). 
Since some forms of hacking are illegal, an individual who attempts to brag 
about their activities to others can place themselves at risk of arrest or legal sanc- 
tions (Dupont et al., 2017; Kilger, 2010; Taylor, 1999). This does not stop hack- 
ers from talking about or engaging in illicit activities in relatively public arenas 
online. Instead, they use various techniques to reduce the likelihood that their 
real identity is compromised, such as handles or nicknames in online and offline 
environments in order to establish an identity separate from their real identity 
(see Furnell, 2002; Jordan & Taylor, 1998). Handles serve as a digital representa- 
tion of self. They may be humorous or serious, depending on the individual. 
For example, one hacker adopted the handle TweetyFish under the assumption 
that no judge would ever take criminal hacks associated with that name seri- 
ously (Furnell, 2002). Others take names that are associated with scofflaws and 
villains, like the group the Legion of Doom in the 1980s, or represent violence 
and pillaging like Erik Bloodaxe (Furnell, 2002). Regardless of the handle an 
individual chooses, its use helps to create a persona that can be responsible for 
successful hacks and activities and diminish the likelihood of reprisals from law 
enforcement (Furnell, 2002; Jordan & Taylor, 1998; Taylor et al., 2010). 
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Some hackers also attempt to segment themselves and shield their activities 
from the general public through the use of closed web forums and private mes- 
sage boards. Requiring individuals to register with a website or forum helps to 
give some modicum of privacy for posters and diminishes the likelihood that 
anyone in the general public may stumble upon their conversations (Meyer, 
1989). Law enforcement officers and computer security researchers can still gain 
access to these forums and generate information about serious hacks and attacks, 
though it is harder to identify these resources when they are closely kept secrets 
(Dupont et al., 2017). In fact, some hacker groups keep their sites from appear- 
ing in search engine results like Google by turning off the feature “robots.txt” in 
the HTML coding (Chu et al., 2010). This keeps web spiders from logging the 
site and reduces the likelihood that outsiders may access their resources. Indi- 
viduals within the hacker subculture can still identify and gain access to these 
resources. Hackers, therefore, tread a fine line between sharing information and 
keeping certain knowledge private (Jordan & Taylor, 1998). 

The issue of secrecy has also affected the way that individuals engage with 
one another at conferences and in public settings. The substantive increase in 
law enforcement investigations of hackers and the concurrent incorporation of 
hackers into government and private industry to secure resources means that 
individual attendees may be surrounded by people who are focused on identi- 
fying malicious hackers (Holt, 2007, 2010; Schell & Dodge, 2002). Conferences 
like DefCon have actively attempted to single out when an individual is in such 
a position through their “Spot the Fed” contest (Holt, 2007). The game involves 
pulling an attendee out of the crowd who people perceive to be a federal agent 
and asking them a series of questions about their life and job. If the person is, in 
fact, a federal agent, both the fed and the spotter receive t-shirts to commemo- 
rate the experience (Holt, 2007). 


To see “Spot the Fed” in action, go online to: www.youtube.com/ 
watch?v=oMHZ4qQuYyE 


The Spot the Fed game was initially designed to draw attention to the pres- 
ence of law enforcement at the con, and stress the need to carefully manage 
what is shared with strangers in the open. The game also helps demonstrate the 
boundaries between hackers and law enforcement and sheds light on the role of 
law enforcement in the hacker subculture. Over time, however, the game 
has become much more playful, and has occurred with less frequency as the 
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conference has become a more established part of the computer security com- 
munity. The presence of such a game still emphasizes the need for secrecy in 


managing how hackers interact with others on- and offline. 


Legal Frameworks to Prosecute Hacking 


The federal government within the United States is the primary level of govern- 
ment that attempts to curtail computer hacking activities by passing and enforc- 
ing legislation through various agencies. At the federal level, the primary statutes 
used to prosecute hacking cases are referred to as the Computer Fraud & 
Abuse Act (CFAA) (discussed previously). This act, listed as Section 1030 of 
Title 18 of the US Criminal Code, was first passed in 1986 and has been revised 
multiple times over the last three decades. These laws prosecute attacks against 
a “protected computer,” which are defined as any computer used exclusively 
or nonexclusively by a financial institution or the federal government, as well 
as any computer used to engage in interstate or foreign commerce or commu- 
nication generally (Bossler, 2020; Brenner, 2011). This broad definition was 
adopted in 1996 in order to provide protection to virtually any computer con- 
nected to the Internet and to increase the efficacy of federal statutes to prosecute 
hacking crimes (Bossler, 2020; Brenner, 2011). 

The CFAA (18 USC § 1030) stipulates seven applications of hacking as 
violations of federal law, though we will focus on four of these statutes here. 
The other three statutes are discussed in Chapter 4 because they pertain more 
to malicious software and certain attacks that may extend beyond or can be 
completed without the use of computer hacking. In addition, 18 USC § 1030 
(b) also made it illegal to conspire to commit any of the seven acts of the CFAA. 
With that in mind, there are four offenses that immediately pertain to unauthor- 
ized access as discussed thus far: 


= 


Obtaining national security information: Knowingly accessing a computer 
without authorization or by exceeding authorized access and obtain infor- 
mation protected against disclosure which could be used to the disadvan- 
tage of the United States or the advantage of a foreign nation and willfully 
deliver that information to another person not entitled to receive it or retain 
the information and refuse to deliver it to the person entitled to receive it 
(18 USC § 1030 Sect. (a)(1)). 

Accessing a computer and obtaining information: Knowingly accessing a 


i) 


computer without authorization or by exceeding authorized access to: 
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a) Obtain information contained in a financial record of a financial insti- 
tution or of a card issuer or contained in a file of a consumer reporting 
agency on a consumer; 

b) Obtain information from any federal department or agency; 

c) Information from any protected computer (18 USC § 1030 Sect. (a)(2)); 

3 Trespassing in a government computer: To intentionally and without author- 
ization access any nonpublic computer of a US department or agency that is 
exclusively for the use of the government and affects the use of that computer 
(18 USC § 1030 Sect. (a)(3)). 

4 Accessing a computer to defraud and obtain value: To knowingly and with 
the intent to defraud access to a protected computer without authorization 
or by exceeding authorized access and thereby further the intended fraud and 
obtain anything of value (18 USC § 1030 Sect. (a)(4)). 


These acts cover a wide range of offenses and are written broadly enough to 
prosecute hackers regardless of whether they are internal or external attackers 
(Brenner, 2008; Furnell, 2002). Specifically, an internal attacker is an individual 
who is authorized to use and has legitimate access to computers, networks, and 
certain data stored on these systems. For example, college students are typi- 
cally allowed to use online registration systems, access course content hosted on 
Blackboard or other learning sites, and use computer systems on campus through 
a username and password sign-in system. They are not, however, allowed to 
enter in grades or use sensitive systems that are reserved for faculty and admin- 
istrators. If a student wanted to change their grades electronically, they would 
have to exceed their authorized use by guessing a password or exploiting a 
system’s vulnerability in order to gain access to grading systems. Thus, their use 
of existing internal resources makes them an internal attacker. Someone who 
attempts to change grades or access sensitive systems, but is not a student or an 
authorized user, would be defined as an external attacker (Brenner, 2008; Fur- 
nell, 2002). This is because they have no existing relationship with the network 
owners and are completely outside of the network. 

The US Supreme Court in June 2021 provided clarity on what is meant by 
“exceeding authorized access” in the case of Van Buren v. United States (2021). 
Georgia police officer, Nathan Van Buren, searched a license plate database in 
order to be paid by a third party for information. This unauthorized use of the 
database led to his conviction under the CFAA. The Supreme Court in a 6-3 
decision, however, held that the CFAA had been interpreted too broadly, and 
that it does not cover situations in which an individual, who “plainly flouts” 
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departmental policies, accesses databases for improper reasons if they had the 
authorization to access the information in the first place. The Court further 
found that a broad interpretation of the CFAA could lead to a significant num- 
ber of commonplace computer activities, such as using your work computer to 
search the Internet for personal reasons, to be illegal. The dissenting opinion, 
written by Supreme Court Justice Clarence Thomas, argued that a plain read- 
ing of the statute would indicate that the police officer exceeded his authorized 
access to the database when he used it for personal gain and not for official law 


enforcement purposes. 


To read the full Supreme Court decision in Van Buren v. United 
States, go online to: https://www.supremecourt.gov/opinions/20pdt/ 
19-783_k531.pdf 


To learn more about the insider threat problem and how it 
may be mitigated, go online to: https://www.ncsc.gov/issues/docs/ 


Common_Sense_Guide_to_Mitigating_Insider_Threats.pdf 


The punishments for violating the CFAA vary based largely on the harm 
caused by the incident and the number of prior convictions. For example, the 
minimum sentence for these crimes can be a 10—20 year sentence related to acts 
of trespass designed to obtain national security information (Sect. (a)(1)), while 
simply accessing a computer and obtaining information of value (Sect. (a)(2)) 
varies from one year in prison and/or a fine to up to ten years if the offender has 
either multiple charges brought against them or if they engaged in the offense 
for commercial or private gain (18 USC § 1030). Individuals who trespass in 
government controlled computers (Sect. (a)(3)) can receive both a fine and 
imprisonment for not more than one year, though if it is part of another offense 
then it can be up to ten years. 

The greatest sentencing range involves attempts to access a computer in 
order to engage in fraud and obtain information (Sect. (a)(4)). If the object of 
the fraud and the thing obtained consists only of the use of the computer and 
the value of that use does not exceed $5,000 in any one-year period, then the 
maximum penalty is a fine and up to five years in prison. If the incident involves 
harm that exceeds $5,000, affects more than ten computers, affects medical 


data, causes physical injury to a person, poses a threat to public health or safety, 
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or affects the US government’s administration of justice, defense, or national 
security, then the punishments can start at ten years and/or a fine (18 USC 
§ 1030). If the hack either attempts to cause or results in serious bodily injury, 
the actor can receive up to 20 years in prison, and he or she can be eligible for 
a life sentence if the hack either knowingly or recklessly caused death. These 
changes were a direct result of the Cyber Security Enhancement Act, which was 
a subsection of the Homeland Security Act of 2002 (Brenner, 2011; 18 USC 
§ 1030; see also Chapter 10). This Act amended the punishments available to 
federal judges when dealing with cybercrime cases in order to more accurately 
reflect the severity of harm that may result from hackers’ attacks against com- 
puter systems and data. 

The CFAA also allows victims of hacking cases to pursue civil suits against 
the attacker (18 USC § 1030). Specifically, the statute allows any person who 
suffers either damage or losses due to a violation of the CFAA the opportunity 
to seek compensatory damages within two years of the date of the complaint or 
discovery of damages. It does not place limits on the amount of damages that 
an individual may seek, though the statute stipulates that computer software 
and hardware manufacturers cannot be held liable for negligent designs or man- 
ufacturing (Brenner, 2011). As a result, this essentially releases a vendor from 
any civil responsibility for the presence of vulnerabilities within their products. 
Instead, it is the attacker who is held liable for the identification and use of 
exploits against those vulnerabilities. 

An additional federal statute pertaining to hacking is 18 USC § 1030 Sect. 
2701 (a), referencing unlawful access to stored communications. Given that so 
much personal information is now stored in email accounts hosted on web 
servers that are protected through limited security protocols, like passwords 
that can be easily hacked, there is a need to protect this information at all 
points. This statute makes it an offense to intentionally either (1) access with- 
out authorization a facility through which an electronic communication is 
provided; or (2) exceed an authorization to access such a facility and then 
obtain, alter, or prevent authorized access to a wire or electronic commu- 
nication while it is in electronic storage. This law is designed to help secure 
personal communications and information, particularly against nation-state 
attackers who may attempt to use email or communications to better under- 
stand a target (Brenner, 2011). 

Initially, the punishments for these offenses involved a fine and/or impris- 
onment for not more than one year for the first offense, and up to five 


years for a subsequent offense. This statute was amended by the Homeland 


Computer Hackers and Hacking 


Security Act of 2002 to increase the penalties if the offense was completed 
for “purposes of commercial advantage, malicious destruction or damage, or 
private commercial gain, or in furtherance of any criminal or tortuous act 
in violation of the Constitution or laws of the United States or any State” 
(6 U.S.C. 145 Cybersecurity Enhancement Act of 2002). If the attacks 
occurred for these reasons, an actor may receive a fine and up to five years in 
prison for the first offense, and then up to ten years imprisonment for multi- 
ple offenses (Bossler, 2020). 

In addition to federal statutes, all states have laws against computer hacking 
in some shape or form (Bossler, 2020; Brenner, 2011; National Conference of 
State Legislatures (NCSL), 2021). In fact, the first state to pass a law related to 
hacking was Florida in 1978, with the creation of the Computer Crimes Act. 
Though each state is different, they largely define hacking in one of two ways: 


1 the unauthorized access to computers or computer systems; 
2 unauthorized access leading to the acquisition, theft, deletion or corruption 
of data. 


The terminology used to define hacking is varied, ranging from “‘unauthorized 
access” to “computer trespass” to “computer tampering.” A majority of US 
states used a two-tiered system to classify computer hacking as either a misde- 
meanor if there was unauthorized access with no damage or further criminal 
behavior or as a felony if the unauthorized access was accompanied with further 
criminal behavior such as the copying or destroying of files (Brenner, 2011). 
Some states use a single statute for all unauthorized access behaviors regardless 
of whether any further criminal behavior occurred. Finally, some states place 
computer hacking laws under existing criminal statutes pertaining to burglary, 
theft, and robbery (Brenner, 2011). For instance, Missouri defines computer 
hacking as “tampering” with either computers or data and has placed these 
offenses under Chapter 569, that includes “Robbery, Burglary, and Related 
Offenses.” Others, like North Carolina, place computer hacking and related 
cybercrimes under their own statutes in order to encapsulate the unique nature 


of cybercrimes (Brenner, 2011). 


To learn more about the incident that spawned the first state-level 


computer crime law in the United States, go online to: http:// 


repository .jmls.edu/cgi/viewcontent.cgi?article=1414&context=jitpl 
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Similar legislation is present in countries around the world, though there 
are some variations in the way in which these statutes can be applied or the 
punishments associated with the offense. For instance, the United Kingdom/’s 
Computer Misuse Act of 1990 defines three behaviors as offenses: 


1 unauthorized access to computer material (whether data or a program); 
2 unauthorized access to a computer system with intent to commit or facilitate 
the commission of a serious crime; 


3 unauthorized modification of computer material. 


The structure of this Act recognizes variations in the way that hackers operate, 
such as the fact that only some hackers may attempt to gain access to systems, 
while others may attempt to maliciously use or modify data. Any individual 
found guilty of a violation of the first statute can face a maximum sentence of 
six months or a fine of £2,000, or both. Subsequent charges under the second 
and third statutes are associated with more severe sanctions, including up to five 
years in prison, a fine, or both. 

Several researchers hold this legislation up as a model for other nations 
because of its applicability to various forms of hacking and compromise (see 
Brenner, 2011; Furnell, 2002). The law itself, however, emerged because 
of the absence of existing laws that could be used to prosecute the crimes 
performed by Robert Schifreen and Steven Gold in 1984 and 1985. Specif- 
ically, Schifreen noticed the username and password of a system engineer at 
the British Telecom firm, Prestel, and he and Gold used this information to 
access various parts of the network and gain access to sensitive account infor- 
mation (Furnell, 2002). The two were then caught by Prestel administrators 
and arrested, but there was no legislation against the activities they performed. 
Thus, prosecutors charged the pair under the Forgery and Counterfeiting Act 
of 1981, under the auspices that they “forged” the user credentials of others 
(Furnell, 2002). 

Though both Schifreen and Gold were found guilty, they appealed their 
case claiming that they caused no actual harm and had been charged under 
inappropriate statutes (Furnell, 2002). The two were acquitted based on the 
conclusion that forgery laws were misapplied and their actions were not, in fact, 
a violation of existing criminal law. As a result, the English Law Commission 
recommended that new legislation be developed to criminalize various forms of 
hacking (Furnell, 2002). The law was introduced and passed in 1990, though 
subsequent revisions have been introduced over the last 25 years to increase 
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sanctions, apply the law to offenses involving smartphones, and cover offenses 
involving malicious software (Brenner, 2011; Furnell, 2002). 

Other nations define hacking more narrowly, as with the Indian Informa- 
tion Technology Act, 2000, which specifically criminalizes and references a 
hack as a person who “destroys or deletes or alters any information residing in 
a computer resource or diminishes its value or utility or affects it injuriously by 
any means” (Department of Electronics and Information Technology, 2008). 
Engaging in such an act can lead to a fine of up to 500,000 rupees and/or up 
to three years imprisonment. There are related subsections of the hacking law, 
related to (1) receiving a stolen computer or communications device, (2) using 
a fraudulently obtained password, digital signature, or other unique identifica- 
tion, and (3) cheating using a computer resource (Department of Electronics 
and Information Technology, 2008). While cheating is not specifically defined 
within the law, this is a unique addition that is largely absent from other nations’ 
criminal code. These subsections recognize the role of hacking as a facilitator 
for other criminal acts, extending the utility of the law in a similar fashion to 
the US CFAA. 

At a broader level, the Convention on Cybercrime (CoC), also known 
as the Budapest Convention on Cybercrime, is the first international treaty 
designed to address cybercrime and synchronize national laws on these offenses 
(de Arimatéia da Cruz, 2020; Weismannn, 2011). This Convention was devel- 
oped in conjunction with the Council of Europe, Canada, and Japan in 2001 
and came into force in 2004. The language of the treaty specifically addresses 
a number of cybercrimes (illegal access, illegal interceptions, data interference, 
system interference, misuse of devices, computer-related forgery, computer- 
related fraud, child pornography, and copyright infringements) with the intent 
to create common criminal policies and encourage international cooperation in 
the investigation and prosecution of these offenses. The CoC does not, how- 
ever, encourage extradition, which limits its value in enforcement. Addition- 
ally, those states that sign and ratify the CoC are under no obligation to accept 
all parameters of the Convention. Instead they can select which provisions they 
choose to enforce, further limiting its utility. Thus, the CoC has some inherent 
value for the development of consistent legal frameworks and definitions for 
hacking-related crimes in a global context, but has significant limitations regard- 
ing enforcement (Weismannn, 2011). 

At present, 64 nations have ratified the treaty and another three have signed 
but not ratified the convention (de Arimatéia da Cruz, 2020). The majority 


of the ratifiers are members of the Council of Europe and European Union 
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generally, including Italy, Germany, Turkey, the Ukraine, and the United 
Kingdom. Several nations that are not members of the Council have also rati- 
fied the CoC, including Australia, Canada, Dominican Republic, Israel, Japan, 
Mauritius, Panama, Sri Lanka, and the United States. The language of the CoC 
has served as a model for a number of nations’ cybercrime laws, particularly in 
a number of South American and African nations (Riquert, 2013; Weismannn, 
2011). Thus, the CoC may be invaluable in structuring consistent laws regard- 


ing cybercrime. 


Enforcing and Investigating Hacker Activity 


It is important to note that federal agencies are responsible for cases where the 
victim and offender reside in different states or countries. We will focus our 
discussion on the primary federal agencies responsible for the investigation of 
computer hacking since there are few local law enforcement agencies investi- 
gating computer hacking. This appears to stem from the fact that these cases are 
often very technically complex. In addition, these crimes involve local victims 
compromised by offenders living in completely separate jurisdictions that can- 
not be affected by a police or sheriffs office (Holt et al., 2015). 

One of the most prominent federal law enforcement bodies involved in the 
investigation of hacking cases is the United States Secret Service (USSS). 
The Secret Service was initially part of the Department of the Treasury, dat- 
ing back to its creation in 1865 in order to combat the production and use of 
counterfeit currency after the Civil War (USSS, 2021). Now, however, the 
Secret Service is housed under the Department of Homeland Security (DHS). 
The Secret Service was initially tasked with hacking cases through the CFAA 
because of their mandate to investigate crimes against financial institutions and 
counterfeit currency (18 USC § 1030). The growth of technology and Inter- 
net connectivity among banks and financial service providers made the Secret 
Service seem like an experienced agency, capable of investigating hacking and 
online fraud. 

Today, the Secret Service investigates cybercrimes through its Criminal 
Investigative Division, specifically through its Financial Crimes unit with three 
primary investigative responsibilities concerning cybercrime (USSS, 2021). The 
first involves financial institution fraud (FIF) against banks, savings and loan 
institutions, and credit unions (see Chapter 6 for additional detail). The second 
includes access device fraud, such as the use of passwords in order to engage in 
fraud or hacks against various targets. The final responsibility involves acts of 
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fraud that affect computers of “federal interest,” that directly facilitate interstate 
or international commerce and government information transfers. 

The US Secret Service also has two task forces that investigate cyber intru- 
sions: Electronic Crimes Task Forces (ECTFs) and Financial Crimes Task 
Forces. The Secret Service operates 40 ECTFs that utilize the resources of aca- 
demia, the private sector, and law enforcement at all levels to meet Congres- 
sional mandate for the Secret Service to create a national network to “prevent, 
detect, and investigate electronic crimes, including potential terrorist attacks 
against critical infrastructure and financial payment systems” (USSS, 2021). 

The USSS also operates multiple specialized resources and training programs 
to improve the response to hacking and fraud. First, the Network Intrusion 
Responders (NITRO) Program tasks special agents to assist in the investiga- 
tion and forensic analysis of materials related to various financial crimes (USSS, 
2021). Second, the USSS operates a specialized unit of experts who are housed 
within ECTFs who assist in the capture and analysis of forensic evidence. This 
program helps to ensure critical knowledge is available to those partners work- 
ing with ECTFs across the country. Third, they operate the Electronic Crimes 
Special Agent Program in Computer Forensics (ECSAP-CF) tasked with spe- 
cial agents who performs forensic investigations of various devices, inclusive of 
Internet of Things (IoT), mobile, and vehicle systems (USSS, 2021). 

Fourth, the National Computer Forensics Institute (NCFI) in Hoover, Ala- 
bama is operated by the Secret Service as a resource to train local law enforce- 
ment, prosecutors, and judges to understand the process of digital forensic image 
capture and analysis. This program has been a massive success, training over 
3,800 individuals across the United States (USSS, 2021). In addition, individuals 
who are trained at the NCFI also collaborate with the USSS in their home state 
to increase the capacity for investigation and response to cybercrimes. 

The other prominent agency involved in the investigation of hacking cases 
is the FBI. Cybercrime is one of the FBI’s top three investigative priorities, 
in part by legal mandate in the CFAA. The law stipulates that the FBI has 
the primary authority to investigate hacking cases that involve espionage, for- 
eign nation-states, counterintelligence, and classified sensitive data that affects 
national defense or foreign relations. 

In order to address that mandate, the FBI has established several capabilities 
and partnerships. The FBI operates a Cyber Division at its headquarters to coor- 
dinate their cyber strategy. They also run cyber squads in each field office across 


the country with the capacity to investigate various forms of cybercrime. They 


also have specialized Computer Crimes Task Forces that can investigate 
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cybercrimes and work with other law enforcement agencies at the local, state, 
and federal levels (FBI, 2021a). These task forces are focused on investigating 
attacks against critical infrastructure, hacks that target private industry or finan- 
cial systems, and other cybercrimes. The CTFs in each region are also respon- 
sible for developing and maintaining relationships with public and private 
industry partners in order to improve their response capabilities (FBI, 2021b). 
The Bureau also operates Cyber Action Teams (CATs), which are highly 
trained small groups of agents, analysts, and forensic investigators who can 
respond to incidents around the world. These teams are designed to collect data 
and serve as rapid first responders to any incident, no matter where it occurs 


around the world. 


For more information on the FBI, go online to: https://www.tbi. 


gov/investigate/cyber 


In addition, the FBI operates the InfraGard project, which is a nonprofit 
public-private partnership designed to facilitate information sharing between 
academics, industry, and law enforcement (InfraGard, 2021). The group is 
designed to aid in collaborations in order to better protect critical infrastruc- 
ture and reduce attacks against US resources. InfraGard operates in chapters 
across the United States, which hold regular meetings to discuss threats and 
issues of interest with members. InfraGard has 79 chapters across the United 
States, and its membership must undergo a vetting process in order to partic- 
ipate (InfraGard, 2021). In turn, members gain access to a secured web portal 
where intelligence on threats, vulnerabilities, and general information is shared. 
This partnership has been very successful, though members of the hacker group 
LulzSec attacked InfraGard chapter websites in order to embarrass the FBI (see 
Satter, 2011; Box 3.7 for more detail). This attack, however, appears to be an 
isolated incident in the otherwise positive partnerships afforded by InfraGard. 

While the FBI and Secret Service focus on the investigation of cybercrimes, 
they must work in close concert with the United States Attorney’s Office, which 
is a part of the US Department of Justice (DOJ) focused on the prosecution 
of federal criminal cases. Though the FBI is part of the DOJ, they operate as 
an investigative arm, while the Attorney’s Office represents the federal govern- 
ment in court to prosecute suspects. In fact, the investigation of cybercrimes is 
largely handled by the Criminal Division’s Computer Crime and Intellec- 
tual Property Section (CCIPS). 
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Box 3.7. Exploits of LulzSec 
LulzSec Hacks FBI Affiliate, Infragard 


http://www.digitaltrends.com/computing/lulzsec-hacks-fbi-afhiliate- 


infragard/ 


Hacker group Lulz Security (aka LulzSec) is on a war path. Following 
their highlight public hacks of the PBS website and SonyPictures.com, 
LulzSec has now set its sights on the top law enforcement agency in the 
United States: The Federal Bureau of Investigation. 


This article provides an overview of the hacks performed by the Anony- 
mous offshoot hacking group LulzSec against Infragard. In addition, the 
article illustrates some of the tension between Anonymous and security 


specialists. 


Initially, violations of the CFAA were prosecuted at the federal level through 
the Computer Crime Unit, first established in 1991 (United States Department 
of Justice (US DOJ), 2021)). The expansion of the Internet and the resulting 
range of cybercrimes that became possible led to a restructuring of the unit to a 
full Section with the enactment of the National Information and Infrastructure 
Protection Act of 1996. The unit now deals exclusively with the investigation 
and prosecution of cybercrime cases and intellectual property crimes, through 
close collaboration with law enforcement agencies and private industry. 

The CCIPS division also provides support for prosecutors handling similar 
cases at the federal, state, and local levels, and works with legislators to develop 
new policies and legal statutes to deal with cybercrime generally. Recently, 
the Criminal Division created the Cybersecurity Unit within the CCIPS “to 
serve as a central hub for expert advice and legal guidance regarding how the 
criminal electronic surveillance and computer fraud and abuse statutes impact 
cybersecurity” (US DOJ, 2021). This unit also focuses on outreach, attempting 
to inform businesses and industry about the threats they face and improve the 
state of cybersecurity practice without violating the law. 

Specialized law enforcement agencies also operate around the world to 
investigate cybercrimes that may violate local or federal laws. For example, the 
National Crime Agency’s (NCA) National Cyber Crime Unit (NCCU) 


is responsible for leading the United Kingdom’s response to serious forms of 
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cybercrime, provide cyber specialist support, and to coordinate the nation’s cyber 
response with Regional Organized Crime Units, the Metropolitan Police 
Cyber Crime Unit, industry, and international law enforcement agencies. As 
part of this coordination, they share intelligence and expertise to increase 
the knowledge of the cyber threat in order to more effectively disrupt cyber- 
crime activity. Thus this unit serves a similar role to that of the FBI in the 
response to serious cybercrimes (National Crime Agency, 2017). Similar struc- 
tures are present in the Korean National Police and the Royal Canadian 
Mounted Police through their Integrated Technological Crime Unit (Andress 
& Winterfeld, 2011). 


For more on the concerns expressed by the FBI director regarding 
cyberattacks in 2021, go online to: https:// www.cnn.com/2021/06/04/ 
politics/christopher-wray-cyberattacks-9-11/index.html 


Summary 


The computer hacker subculture is distinctive and provides justifications for 
individuals to develop a deep understanding of technology and the ability to 
apply their knowledge in innovative ways. Some hackers use their skills for 
malicious purposes, while others use them to protect computer systems. Both 
ethical and malicious hackers may have to utilize the same skill sets to com- 
plete an activity. In fact, hackers judge one another on the basis of their skill, 
connection to technology, and depth of knowledge. Those with demonstrable 
skills garner more respect from their peers, while those with minimal skill may 
be derided by others. 

The perception of hackers as malicious actors stems directly from the evo- 
lution of hacking and technology. The criminalization of hacking in the late 
1970s and 1980s, coupled with the development of the PC, enabled a shift in 
the hacker subculture and the expansion of hacking to new populations. As 
technology became more user friendly, the hacker culture changed, creating 
significant variation in the skill and ability of hackers. These factors have pro- 
duced the current population of skilled and semiskilled hackers with various 
motives and ethical orientations. Thus, there is no single way to deal with hack- 
ers who use their skills for criminal gain. Instead, it is critical to understand that 
script kiddies and noobs present a different threat than those black-hat hackers 


who can successfully penetrate systems without detection. 
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Discussion Questions 


1. Think about the various ways that you have seen hackers portrayed in 
popular media over the last few years. Are they heroic characters or dan- 
gerous criminals? Do the representations conform to any of the realities 
of the hacker subculture, or do they simply further stereotypes about 
hackers as a whole? 

2. If hacking is a skill or ability, does it share any similarities to other real- 


world activities that can be applied in malicious or ethical ways? 


is») 


. Compare the ideas expressed in the hacker ethic against the comments made 
by the Mentor in the Hacker Manifesto. Do they make similar points, or 
are they very different documents? If there are common themes, what do 


they suggest about hacking and the complexities of the hacker subculture? 


aN 


. Given the range of actors evident in the hacker subculture, is it possible 
that ethical and unethical hackers may share similar motives? If so, what 
might those motives be, and is it possible to identify an individual’s ethi- 
cal stance based solely on their motives? 

5. What were the weaknesses of using “traditional” legislation to prosecute 


hackers? How did newer legislation address those problems? 
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Chapter Goals 


e Define malware and the role of vulnerabilities and exploits in their 
activation 

e Identify the differences between viruses, trojans, worms, and blended 
threats 

e¢ Understand why individuals write and distribute malicious software 

e Assess the legal frameworks used to pursue cyberattacks facilitated by 
malicious software 

e Recognize the role of law enforcement agencies and the security 
industry to mitigate malware in the wild 


Introduction 


Much like the threat posed by computer hackers explored in Chapter 3, there is 
a good deal of confusion and misunderstanding around the issue of malware or 
malicious software. Many in the general public have heard the term “virus” or 
perhaps “trojan” in computing, though they may neither understand what they 
actually do nor how they operate. The lack of understanding is compounded by 
the number of security tools available to protect computer systems from mal- 
ware. Although most laptops and desktop computers are sold with some form 
of antivirus software preinstalled, owners may not know how, when, or why to 
properly use these tools. Additionally, most mobile phones and tablet comput- 
ers, such as iPads or Kindles, do not have this software even though they can be 
infected by malware. 

Computer users who understand the value and necessity of antivirus software 
and security tools to minimize the likelihood of infections may not realize that 
they are still vulnerable to attacks from new code that has just been identified. 
Though that may seem like a relatively minor dilemma, consider that there 
were at least 677 million pieces of malware identified by one cybersecurity firm 
in 2020 alone (Clement, 2020)! That is the equivalent of two pieces of malware 
for every person in the entire US population. Additionally, the behavior of 
malware can often be so subtle that an individual may not know that they have 
been affected. 
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For some examples of vulnerabilities and malware, go online to: 


1. https://www.forbes.com/sites/augustinefou/2020/06/02/what-do- 
hacking-and-malware-have-to-do-with-ad-fraud/ 

2. https://www.forbes.com/sites/augustinefou/2020/12/17/hackers- 
dont-even-have-to-hack-users-who-voluntarily-download-apps-and- 
browser-extensions/?sh=60b38a8f83edextensions/ 


This chapter is designed to provide a basic understanding of malware, 
including the most common forms of malware that are active in the wild. Due 
to the substantive technical details involved in the classification and operation 
of malware, this chapter will provide descriptions of each form without going 
into overly technical explorations of their functionality. Instead, a summary 
description will be provided using minimal technical jargon in order to give 
readers a basic appreciation for the range of malware currently operating, its role 
in attacks, and any historical evolution of these tools in the hacker and computer 
security community generally. Visual examples of the user interfaces associated 
with malware will also be provided to demonstrate the ease with which some 
tools can be used. The legal frameworks used to prosecute malware-related 
cybercrimes and their relationship to hacking will also be discussed. Finally, we 
will consider the legal and computer security entities operating to protect users 


from malware threats. 


The Basics of Malware 


Malicious software, or malware, is largely an umbrella term used to encap- 
sulate the range of destructive programs that can be used to harm computer 
systems, gain access to sensitive information, or engage in different forms of 
cybercrime. Malware can serve a countless number of different functions but are 
generally designed to automate attacks against systems and simplify the process 
of hacking overall. Various forms of malware have increased in complexity in 
keeping with the evolution of technology over the last two decades (BitDe- 
fender, 2021; Symantec, 2021). Malware, however, exists in a nebulous legal 
space as there are no specific laws against the creation of malicious software 
(Brenner, 2011). It is simply computer code, which writers can argue is neces- 
sary in order to better understand the limits of computer and network security. 


The use of these tools in or to access computers without permission from the 
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system owner is, however, illegal. Thus, individuals who write malicious code 
may have minimal legal culpability for the way that others use their creations 
so long as they are not the ones utilizing it on networks without authorization 
(Brenner, 2011). 

Malicious software programs operate by exploiting vulnerabilities, or flaws, 
in computer software or hardware (O’Driscoll, 2021; Symantec, 2021). Every 
program has design flaws. There are literally thousands of vulnerabilities that 
have been identified in systems that individuals use every day, such as Microsoft 
Windows and popular web browsers. In fact, there were 12,174 vulnerabilities 
reported in 2019 alone (CVE, 2020). The presence of a vulnerability allows an 
attacker to understand and gain initial access to a target system in some way. 
Many security professionals attempt to identify vulnerabilities in order to help 
secure computer systems, though this information is typically released to the 
public through open forums or email lists like BugTraq (see Box 4.1; Taylor, 
1999). As a result, attackers can immediately use information on vulnerabilities 
to their advantage. 

Once a vulnerability is identified, malware writers then create an exploit, 
or a piece of code, that can take advantage of vulnerabilities to give the attacker 
deeper access to a system or network (Symantec, 2021). These exploits are often 


Box 4.1. The Debate over Public or Private 
Vulnerability Disclosures 


Vulnerability Disclosure Debate 


http://web.archive.org/web/20100102144837/http://spirit.com/ 
Network/net0800.html 


Today, there are appeals to put the genie back into the bottle. That is, to 
stop the publishing of new vulnerabilities. There is even a proposed law 
that would make some forms of vulnerability testing illegal in the US. 


This article provides an interesting debate on the issue of vulnerability 
disclosures and the relationship between black-hat and white-hat hackers 
who identify and provide this information to the public for free or com- 
panies and security vendors for a profit. This work helps to give context 
to the difficult need to balance privacy and free information exchange in 


the security community. 
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built into malware to compromise and influence the victim machine more efhi- 
ciently. The changes that a piece of malware causes to a computer system are 
affected by what is commonly called its payload. When a piece of malware is 
activated and executes the program it contains, the resulting impact on the sys- 
tem can range from benign to highly destructive, depending primarily on the 
skills of the writer and their interests. In fact, early malware typically caused no 
actual harm to the system or its contents but annoyed the victim by present- 
ing them with messages or playing music at a high volume. Many variants of 
malware today often delete or change system files, causing harm to the user’s 
documents and files, or collect information that users input or store on their 
system, causing a loss of personally identifiable information. Some malware can 
even disrupt the basic functions of an operating system, thereby rendering a 
computer unusable. 

Malware is generally used to disrupt email and network operations, access 
private files, steal sensitive information, delete or corrupt files, or generally dam- 
age computer software and hardware (BitDefender, 2021; Symantec, 2021). 
As a result, the dissemination of malware across computer networks can be 
costly for several reasons, including, but not limited to (1) the loss of data and 
copyrighted information; (2) identity theft; (3) loss of revenue due to customer 
apprehension about the safety of a company’s website; (4) time spent remov- 
ing the programs; and (5) losses in personal productivity and system functions. 
The interconnected nature of modern computer networks and the Internet of 
Things (IoT) also allows an infected system in one country to spread malicious 
software across the globe and cause even greater damage. Thus, malware infec- 
tion poses a significant threat to Internet users around the globe. 


Viruses, Trojans, and Worms 


Malicious software is a problem that many individuals in the general public with 
minimal technical proficiency do not understand. Part of the confusion lies in 
identifying the diverse range of current malware. The most common forms 
of malware include computer viruses, worms, and trojan horse programs that 
alter functions within computer programs and files. These programs have some 
distinctive features that separate them from one another, though more recent 
forms of malware combine aspects of these programs together to create what are 
commonly called blended threats. We will explore the most common forms 
of malware here and differentiate them based on their unique features and utility 


in an attack. 
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Viruses 


Viruses are perhaps the oldest form of malware, operating since the earliest days 
of computing (Szor, 2005). This form of malware can neither be activated nor 
execute its payload without some user intervention, such as opening a file or 
clicking on an attachment. The target must execute the code in some fashion 
so that the virus will be installed in either existing programs, data files, or the 
boot sector of a hard drive (Szor, 2005). In addition, many viruses may access 
sensitive data, corrupt files, steal space on the hard drive, or generally disrupt 
system processes. 

Viruses can install themselves in data files or existing programs and oper- 
ate based on the parameters of a specific operating system, whether Windows, 
Linux, or Mac OS. These viruses will attempt to install themselves in any exe- 
cutable file so as to ensure their success. Some viruses can overwrite the contents 
of their target file with malicious code, which renders the original file unusable. 
Such a tactic is, however, easy to identify because the error or failure that results 
may be immediately obvious to the user. Other viruses can insert their code 
into the file but leave it operational so that it will not be identified by the user. 
Finally, some viruses can clone an existing file so that it runs instead of the orig- 
inal program (Szor, 2005). 

Boot sector viruses operate by attempting to install their code into the 
boot sector of either a form of storage media like a flash drive or into the hard 
disk of the targeted computer (Szor, 2005). A boot sector is a region of any 
sort of storage media or the hard disk of a computer that can hold code, which 
is loaded into memory by a computer’s firmware. There are a range of boot 
sectors, but the operating system loader of most devices is stored starting in the 
first boot sector so that it is the first thing that the system loads. As a result, virus 
writers create boot sector viruses so that they can load the code of their virus 
into the random access memory (RAM) of the computer. This ensures that the 
virus will always be present in the system from the start to the finish of each 
session. In fact, boot viruses can gain control of the entire system by installing 
themselves into a specific region and then changing the boot record so that the 
original code is no longer in control of the system. The malware then becomes 
extremely difficult to identify and eradicate and can severely impact the func- 
tionality of the system (Szor, 2005). 

Some of the first viruses observed in the home PC market during the 1980s 
were boot sector viruses that spread to other machines via floppy disks. These 


viruses generally had limited functionality and malicious utility. For example, 
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they might often play music or delete letters in documents. For instance, one 
of the first viruses observed in home computers was called Ellk Cloner and was 
designed to infect Apple II computers via a floppy disk (Manjoo, 2007). The 
code was written as a prank by Rich Skrenta, a 15-year-old person who liked 
to play and share computer games. He wrote Elk Cloner in order to play a 
practical joke on his friends without clueing them into the presence of the code 
(Manjoo, 2007). The virus was attached to a game which when played 50 times 
would display the following poem: 


Elk Cloner: The program with a personality 
It will get on all your disks 

It will infiltrate your chips 

Yes, it’s Cloner! 

It will stick to you like glue 

It will modify RAM too 

Send in the Cloner! 


Though the program caused no actual harm, the code was difficult to remove 
and infected many machines because the virus would install locally on any com- 
puter and then infect other floppy disks inserted into the infected system (Man- 
joo, 2007). 

Macro viruses are also a popular way to infect systems by using a com- 
mon weakness in a variety of popular programs like Excel, Word, and PDFs 
(F-Secure, 2017; Szor, 2005). Virus writers can write a program using the macro 
programming languages associated with specific applications and embed the 
code into the appropriate file, such as a PowerPoint presentation. Opening the 
file actually executes the virus, enabling the infection payload to be activated 
and subsequently embedding the code into other documents of the same type so 
that any attempt to share a file will lead to other systems being infected. Macro 
viruses designed to target Microsoft Outlook can infect a user’s computer by 
including infected files, or even by the user previewing an infected email. 

In the early 1990s, virus writers began to employ encryption protocols in 
order to make the code more difficult to detect and remove (Szor, 2005). This 
novel tactic was further adapted through the development of MuTation 
Engine (MtE) in 1991, a polymorphic generator that not only encrypted the 
virus but also randomized the routine used so that it varied with each replica- 
tion. The term polymorphic references the ability to take multiple forms or go 


through various phases. In the context of malware, this term references the use 
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of code to hide viruses from detection by changing their structure in order to 
not match existing signatures. Thus, the emergence of polymorphic engines led 


to an increase in the number of these viruses in the wild in 1993. 


For a deeper explanation of polymorphic engines in malware, 
go online to: www.dailymotion.com/video/xcetxj_avg-tutorials-what- 
is-polymorphic-v_tech 


During this period, the Microsoft Windows operating system emerged 
and became tremendously popular among home computer users for its easy 
use and various features. As a result, virus writers began to target Windows 
users and incorporated the use of macros in order to compromise the sys- 
tem. The first macro virus, called Concept, was found in 1995 (see Box 4.2 
for more details; Paquette, 2010). This code would only replicate itself and 
displayed the following message: “That’s enough to prove my point.” This 
was not necessarily malicious but demonstrated that macros were a weak- 
ness that could be exploited. As a result, a number of macro-based viruses 
were released, affecting both Windows and Mac OS computers since both 
operating systems could run the Microsoft Office software suite (Paquette, 
2010). This common business-based software includes Excel and Word, both 


Box 4.2 F-Secure Report on Virus W32/Concept 
Malware 


Virus: W32/Concept 


www.f-secure.com/v-descs/concept.shtml 


The virus gets executed every time an infected document is opened. 
It tries to infect Word’s global document template, NORMAL.DOT 
(which is also capable of holding macros). If it finds either the macro 
“PayLoad” or “FileSaveAs” already on the template, it assumes that the 
template is already infected ... 


This technical brief provides an in-depth analysis of how a macro virus 
operates in a Windows system, including a breakdown of how it infects 
programs overall. 
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of which could be easily affected by macro-based viruses as they support a 
macro programming language. 

Around the same time, viruses began to spread through the Internet as the 
World Wide Web was becoming popular among home users and more easily 
accessible through an increase in Internet service providers. In fact, one of the 
most prominent viruses of this period, the Melissa virus, which was first iden- 
tified in 1999, spread through the web and utilized macros to infect users’ com- 
puters (F-Secure, 2014). The Melissa virus was distributed through an online 
discussion group titled alt.sex by sending an infected file titled “List. DOC” that 
contained passwords for pornographic websites. Anyone who opened the file 
using Microsoft Word 97 or 2000 was infected. The macro code then attempted 
to email itself out to 50 people using the email client in Microsoft Outlook 
(F-Secure, 2014). Given that it would send 50 emails per infected system, the 
infection rate was quite substantial. Additionally, the code altered the Word 
program to infect any new document created. 

The virus payload was not necessarily harmful in that it did not delete files 
or corrupt systems, but it clogged email servers because of its distribution pat- 
tern. In the end, it was estimated that approximately 1.2 million computers 
were infected in the United States with $80 million in damages worldwide due 
to system outages and the costs to remove the malware (Szor, 2005). Based on 
the success of the Melissa virus and others, malware writers quickly began to 
adopt the web as a means to spread their code as widely and as easily as possible. 
They not only targeted common OS products like Microsoft Office but also 
programming languages commonly used in web browsing software and tools 


such as Java. 


Trojans 


In addition to viruses, trojans are a prevalent form of malware. This form of 
malware is similar to viruses in that it cannot replicate on its own but requires 
some user interaction in order to execute the code. It got its name from the 
trojan horse of ancient Greece, which was a giant wooden horse concealing 
soldiers inside (Dunham, 2008). The horse was brought inside fortified city 
walls under the belief that it was a gift; this enabled the warriors to sack the 
city. Computer-based trojans share a similar structure in that they appear to be 
a downloadable file or attachment that people would be inclined to open, such 
as photos, video, or documents with misleading titles such as “XXX Porn” or 


“Receipt of Purchase” (Dunham, 2008). When the file is opened, it executes 
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some portion of its code and delivers its payload on the system. Thus, trojan 
writers utilize social engineering principles in order to entice users to open their 
files (see Chapter 3 for more details). 

Trojans do not typically replicate themselves on the infected system or 
attempt to propagate across systems. Instead, trojans most often serve to estab- 
lish backdoors that can be used to gain continuous unauthorized access to an 
infected system (Dunham, 2008). Specifically, the code can open ports and 
establish remote controls between the infected system and the operator’s com- 
puter allowing them to invisibly execute commands on that system. This is 
achieved through the use of a client and server system, where the victim exe- 
cutes the trojan and establishes a server on their computer that can be remotely 
accessed by a client program on the attacker’s computer (Dunham, 2008). The 
commands sent between the client and server are largely invisible to the infected 
user, though if the attacker utilizes too much of the available processing power, 
it may slow down the infected system. 

The benefits of trojan programs to an attacker are that they can configure 
the tool to perform a range of functions, including keystroke logging, access to 
sensitive files, use of the webcam or other system tools, use of the infected sys- 
tem as a launch point for attacks against other systems, and even send additional 
forms of malware to the system to engage in secondary infections. Many trojans 
also allow the attacker to restart a computer remotely and manage its activities 
without the victim’s knowledge. Some even give the attacker the power to 
uninstall or deactivate security tools and firewalls rendering the system unable 
to protect itself from harm (Dunham, 2008). 

One of the more noteworthy trojans that combined all of these functions 
into a single tool was called Sub7 or SubSeven, a piece of malware initially 
written by a hacker called Mobman (Crapanzano, 2003). The program func- 
tions on virtually all variations of the Windows operating system and acts as a 
sort of remote control program in that the attacker can remotely command the 
system to perform a variety of functions. To achieve this, the program has three 
components: the server, client, and server editor. The server portion runs on 
the victim machine enabling the client machine, operated by an attacker, to use 
the system remotely. The server editor allows the attacker to define the operat- 
ing functions and utilities of the infection, making it possible for the attacker to 
have clear control over their victim (Crapanzano, 2003). 

Sub7 has a range of functions, including giving the attacker remote access to 
system files, the ability to control the system camera and microphone, access to 
cached passwords, and the ability to change desktop colors, open disk drives, and 


Malware and Automated Computer Attacks 


ntvactiewpand) [show hide ‘fun waa ga] 


| lenter tha IP. # and press ‘connect’ nes 
| commection manager file manager 


127.0.0.1 999” ii a 
| ipscanner | __ip ts addressbook | 
eee ee 


k message $ manager 


Be FS SS ES 
fre rece ea 
play wav] setwallpaper| print [show image 

= | clear | | openchat | Ww ream ros <4 


ase kickin! alte 


[see desktop [ip screen] FIP server] find files 
| a eee ES 
an RT 


capture sensitive data (see Figure 4.1 for an example of the attacker interface; 
Crapanzano, 2003). In addition, the server editor function allows the attacker 
to receive email or instant message alerts when their victim system is online for 
more careful management. It is also very easy to attempt to infect user systems, 
as Sub7 can be sent via email or other attachments. These factors may account 
for the popularity of Sub7 among hackers, particularly script kiddies (see Chap- 
ter 3 for details on script kiddies). 


For more information on Sub7 attacks in the wild, go online to: 


1. https://malwiki.org/index.php?title=Sub7 
2. https://www.pandasecurity.com/en-us/security-info/29113/ 


information/Sub7/ 


The utility of trojans has led them to become one of the most popular forms 
of malware available (BitDefender, 2021; Panda Security, 2015). In fact, one of 
the most dangerous and common trojans currently active today is commonly 


Fig. 4.1 The 
SubSeven 
attacker 
graphical user 
interface (GUI) 
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Fig. 4.2 An 
example of a 
Zeus malware 
variant GUI 
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called Zeus. This malware targets Microsoft Windows systems and is often 
sent through spam messages and phishing campaigns in which the sender either 
sends attachments or directs the recipient to a link that can infect the user (see 
Chapter 6 for more details). Once installed, the trojan creates a backdoor in the 
system, so it can be remotely controlled. It also affects the web browser in order 
to capture sensitive data entered by a user (see Figure 4.2 for example of Zeus 
GUI; Symantec, 2014). In addition, Zeus can collect passwords stored locally on 


the infected system and act as a traditional keylogging program. 


To see Zeus malware distribution patterns, go online to: https:// 
cyware.com/news/the-tale-of-the-ever-evolving-zeus-trojan-and-its- 
variants-814d037e 


This trojan is extremely adaptable and has been used as the basis for a range 
of malware used in attacks against various financial institutions across the globe. 
In fact, a form of Zeus has been identified that infects the Google Android 
operating systems common on smartphones and tablets (Leyden, 2012). This 
malware acts as a banking app that can be downloaded and installed on a phone 
in order to capture SMS messages sent to bank customers from financial institu- 
tions in order to authenticate transactions. The use of SMS messaging is com- 
mon in European banking in order to authenticate account information and 
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transactions made by a customer. Obtaining this information allows attackers to 
engage in fraudulent transfers between accounts and verify that they are correct 
without the need for victim interaction. As a result, a group of cybercriminals 
was able to obtain 36 million Euros from over 30,000 customers in Italy, Ger- 
many, Spain, and Holland using this malware (Leyden, 2012). 

A Zeus variant was also used in a series of attacks against hundreds of victims 
across the United States leading to losses of over $70 million during 2009 (FBI, 
2010). This campaign was operated by multiple individuals living in Eastern Europe, 
the United States, and the United Kingdom. The ring of thieves was disrupted by 
a multinational investigation spearheaded by the Federal Bureau of Investigation in 
2010. There were over 100 arrests in this case. The majority of the arrests were in 
the United States for violations of fraud and money laundering statutes. 


Worms 


Worms are a unique form of malware that can autonomously spread on their 
own, though they do not necessarily have a payload (Nazario, 2003). Instead, 
they utilize system memory to spread, self-replicate, and deteriorate system 
functionality. Worms are written as stand-alone programs in that they do not 
need to attach to existing system files or modify any code. Once it is activated, 
it copies itself into the system memory and attempts to spread to other sys- 
tems through email address books or other mechanisms. Should an unsuspecting 
recipient click on an attachment sent from a worm-infected system, the code 
will execute and infect that system, replicating the process. 

As a result, worms can spread rapidly, and depending on their functionality, 
cause massive network outages. For example, the Code Red worm, activated 
online on July 13, 2001, began infecting any web server using Microsoft’s IIS 
web server software. The initial growth of the worm was small, but by July 19, 
it exploded and infected more than 359,000 computer systems worldwide 
within a 14-hour period (CAIDA, 2001). The infection rate was so fast that it 
was infecting 2,000 hosts per minute during its peak spread that day. The sheer 
number of the worm’s attempts at replication caused a virtual denial of service 
attack across most of the industrialized world as the worm’s traffic absorbed 
almost all available bandwidth. 


To see a video of the spread of the Code Red worm, go online 
to: www.caida.org/research/security/code-red/coderedv2_analysis.xml 
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In addition to network degradation, some worms contain secondary pay- 
loads to affect computer systems or servers. For instance, the Code Red worm 
contained code to display the following message on any web page hosted on 
a server infected by the worm: “HELLO! Welcome to http://www.worm. 
com! Hacked by Chinese!” In addition, the worm contained a secondary pay- 
load to engage in denial of service attacks against various websites, including 
the White House. The infected systems, however, seemingly terminated all 
activities within 28 days, suggesting there may have been some code within the 
worm that triggered it to shut down independently (CAIDA, 2001). 

Beyond payloads, it is critical to note that worms can cause tremendous 
harm on their own by crashing email servers, overloading networks with 
floods of requests, and severely diminishing the functionality of infected sys- 
tems by forcing them to constantly scan and attempt to replicate the code to 
other systems (Nazario, 2003). The first example of a worm in the wild was 
created by Robert Tappan Morris and became known as the Morris worm. 
The worm went active on November 2, 1988, after being released by Morris 
through a computer at MIT. Morris, a student at Cornell University, claimed 
he designed the worm to assess the size of the Internet by copying the worm 
code on each computer connected online at that time (Eisenberg et al., 1989). 
The code was improperly written and malfunctioned, establishing multiple 
copies of itself on each system which caused them to slow down dramatically 
due to the copies trying to replicate themselves and spread to other systems. 
Morris’ errors caused an estimated 6,000 UNIX computer systems to be 
infected multiple times over and become effectively unusable (Eisenberg 
et al., 1989). 


For more information on the Morris worm, go online to: https:// 


www.youtube.com/watch?v=o02dj2enxjtU 


Morris was prosecuted and convicted in federal court for violating the Com- 
puter Fraud and Abuse Act. Interestingly, Morris was the first person to be con- 
victed under this law. He eventually received three years’ probation, 400 hours 
of community service, and a substantial fine (Markoff, 1990). 

The incident also demonstrated the need for a coordinated response to a 
large-scale online threat. Researchers at MIT, Berkeley, Purdue, and other insti- 
tutions pooled their resources in order to determine the best solution to mitigate 
the worm (Eisenberg et al., 1989). It was, however, a substantial investment 
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of time and resources due to the distributed nature of the teams and the attack 
itself. Thus, DARPA (Defense Advanced Research Projects Agency of the 
US Department of Defense), one of the founders of the Internet itself, spon- 
sored the foundation of the first Computer Emergency Response Team 
(CERT) at Carnegie Mellon University in order to serve as a coordinating 
point for responses to major network emergencies (Eisenberg et al., 1989). This 
CERT now serves a pivotal role in the dissemination of information related to 
serious cyberthreats and determining large-scale responses to vulnerabilities and 
security threats. 


Blended Threats and Ancillary Tools 


In addition to these three forms of malware, there are now blended threats 
operating online that combine the distinct aspects of these codes into a single 
functional tool. 


Botnets and DDoS Attacks 


A common blended threat is botnet malware, which combines aspects of tro- 
jan horse programs and viruses together in a single program. Botnet malware 
is often sent to a victim through an attachment or other mechanism (Dupont, 
2017; Symantec, 2021). Once the program is executed, it then installs a “bot” 
program, meaning that the computer can now receive commands and be con- 
trolled by another user through Internet Relay Chat (IRC) channels or the 
web via HTTP protocols. The infected machine then surreptitiously contacts 
a pre-programmed IRC channel to wait for commands from the bot operator. 
Multiple machines that are infected with this malware will contact the channel, 
creating a “botnet,” or network of zombie machines (see Figure 4.3). This form 
of malware is often very easy to control through the use of sophisticated inter- 


faces that make sending commands to the network quite easy to accomplish. 


For more information on botnets, go online to: https://www. 
youtube.com/watch?v=3BbxUCOFX8¢g 


The size of botnets enables their operators to engage in a wide range of 
cybercrimes, including the distribution of spam and other malware. Botnets can 


also be used to perform distributed denial of service (DDoS) attacks. In a 
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Fig. 4.3 Botnet 
command 

and control 
distribution 
Source: http:// 
commons. 
wikimedia.org/ 
wiki/File:Botnet. 
svg 
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DDoS attack, each computer in the network attempts to contact the same com- 
puter or server (Bacher et al., 2005; Dupont, 2017). The target system becomes 
flooded with requests and cannot handle the volume, resulting in a loss of ser- 
vices to users (see Figure 4.4 for an example of a botnet user interface). This is 
an extremely costly form of cybercrime for companies, as they can lose millions 
of dollars in revenue if customers cannot access their services. “Bot masters” 
may therefore attempt DDoS attacks against specific websites to cause financial 
and reputation problems for the website owner, but they may also blackmail the 
organization to pay a ransom to stop the DDoS attack. In other cases, it may also 
serve as a way to distract IT teams so they do not notice stealthier intrusions into 
the system (Symantec, 2021). 

Botnets are now a common form of malware as indicated by active infections 
and operations around the world. These types of attacks are growing in both 
number and intensity although most of them last for under 30 minutes (Syman- 
tec, 2021). For example, the BBC in the United Kingdom experienced a recent 
attack in 2015 in which its website and services were down for several hours, 
leading some experts to believe that it was possibly the largest DDoS attack ever. 
The US FBI has engaged in two separate investigative crackdowns against bot- 


net operators under the code name “Operation: Bot Roast” between 2005 
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and 2010 (Hedquist, 2008). These operations led to the arrest of individuals in 
the United States and New Zealand (Goodin, 2007; Hedquist, 2008). 

There have been a number of recent high-profile arrests of botnet operators 
around the globe for their role in various cybercrime schemes. For instance, two 
Greek men were arrested in 2014 for operating a botnet called Lecpetex that 
used Facebook and email spam to contact potential victims (Sparkes, 2014). The 
botnet affected over 250,000 computers in North and South America, as well 
as Europe and the United Kingdom. Once an individual’s system was infected, 
it would install a tool designed to mine an online currency called Litecoin and 
send any funds accrued back to the operators (see Chapter 6 for more details on 
cryptocurrencies). This unique example demonstrates the diverse utility of bot- 
net malware. In addition, the insecurity of the IoT, including thermostats, secu- 
rity systems, refrigerators, and many other household appliances, has led these 


devices to become infected with malware to enable DDoS attacks. A specialized 


piece of malware called Mirai was used by attackers in the fall of 2016 to DDoS 


141 


Malware and Automated Computer Attacks 


142 


Twitter, Spotify, and other services depending on the Dyn protocol (F-Secure, 
2017). This malware infected both regular computer systems and IoT devices, 
enabling them to be used as a stable attack platform for cybercrime. We return 
to the IoT threat issue in the final chapter of the book. 


Exploit Packs 


Similarly, malware writers have recently developed tools that can infect web 
browsers and thereby enable remote takeovers of computer systems. These 
programs are called exploit packs and must be installed on a web server in 
order to attack individuals visiting a website. The exploit pack malware contains 
multiple common vulnerabilities for the most prevalent web browsers and its 
associated exploits. The program then detects the type and version of browser 
software that an individual is using to go to that website, and cycles through 
these vulnerabilities, and exploits until it can infect the user (Symantec, 2021). 

This type of attack exponentially increases the ease of infection by operating 
surreptitiously and without the need for true user interaction to activate the 
malicious code (see Box 4.3 for an interview with the creator of the exploit 
pack MPack; Symantec, 2021). An individual must (unknowingly) direct their 
web browser to a site hosted on a server with the toolkit in order to begin 


the process of infection, which is much simpler than trying to get someone 


Box 4.3. Interview with MPack Creator 
MPack Developer on Automated Infection Kit 


www.theregister.co.uk/2007/07/23/mpack_developer_interview 


In late June, SecurityFocus answered an online advertisement for the 
MPack infection kit, sending an ICQ message to the identifier listed 
in the ad. A few days later, a person contacted SecurityFocus through 
ICQ ... What follows is the result of two weeks of interviews that took 


placemen 


This article provides an interview with one of the developers of the well- 
known and highly profitable exploit pack called MPack. This interview 
provides insights into the nature of malware creation, distribution, and the 


individuals responsible for their development. 
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to open an attachment or file. This is why such attacks are commonly known 
as “drive-by downloads” in that a victim needs only to visit the site without 
clicking on anything in order to be infected (Symantec, 2009). In addition, web 
browsers often store sensitive information about a user such as passwords and 
common sites visited, thereby increasing the risk of identity theft, data loss, and 
computer misuse. Once the infection payload is executed, the attacker can then 
send additional malware to the system, including rootkits and trojans to gain 
further control over the system (Symantec, 2009). 


Ransomware 


An additional blended threat that has gained a great deal of popularity over the 
last decade is called ransomware. These threats demand that the operator of 
the infected system pay in order to have their system’s functionality restored 
(Panda Security, 2015; Russinovich, 2013). Ransomware is similar to a tro- 
jan in that it spreads through downloadable files or through websites. Once 
the prospective target executes the file, it will then deploy its payload, which 
either encrypts files on the user’s hard drive or may modify the boot record of 
the system (similar to a virus) to restrict what the user can access (Russinovich, 
2013). The payload may also include messages that are displayed to the victim 
indicating that their computer has been used for illegal activities like child por- 
nography and has been shut down by law enforcement. These messages require 
the user to pay so that the functionality or files will be restored. Once payment 
is received, the victim receives a program to either decrypt the file or unlock 
the affected portions of the system. 

There have been several notable examples of ransomware, including the 
recent CryptoLocker program that was first identified in September 2013 
(Ferguson, 2013; F-Secure, 2017; Panda Security, 2015). The program spreads 
via attachments in either emails or as downloadable malware online and tar- 
gets Microsoft Windows systems. Once it is executed, the code encrypts 
data on any hard drives attached to the infected system using a very strong 
encryption protocol (Ferguson, 2013). The key to decrypt the file is sent to a 
command-and-control structure (similar to a botnet) and the victim is told that 
they have to pay a specific fee, typically in some form of cryptocurrency, or the 
key will be deleted within three days (Ferguson, 2013). 

Though the malware itself can be removed with some ease, the encrypted 
files cannot be readily repaired, which makes this a very challenging threat 


for home users and companies alike. In fact, ransomware operators initially 
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targeted individuals but pivoted to companies and enterprise systems as they 
have greater resources to pay exorbitant ransoms to avoid losing valuable data. 
For a time, victims were encouraged to simply pay the ransom in order to min- 
imize the harm of infections (IBM, 2016). This trend appears to have persisted, 
with one estimate suggesting the average ransom paid by corporate victims 
was $111,605 in the first half of 2020 alone (Coveware, 2020). In some cases, 
the cost is covered by cybersecurity insurance policies that are held by major 
corporations and enterprises so as to minimize the costs of any attack (Sophos, 
2020; see Box 4.4). 

There are myriad examples of major public and private entities around the 
world that have been targeted by ransomware, ranging from hospitals, financial 
institutions, police departments, government entities, to schools (Ians, 2016; 
Panda Security, 2015; Sophos, 2020). In fact, a survey by the cybersecurity firm 
Sophos (2020) found that Indian entities had the highest rates of ransomware 
infection, with 246 of 300 total organizations reporting being affected. Unfor- 
tunately, ransomware does not appear to have peaked in popularity or effective- 
ness among attackers at the time of this publication. So long as criminals set the 


Box 4.4 An Example of Cybersecurity Costs in 
Ransomware Attacks 


BWL Paid $25,000 Ransom after Cyberattack 


https://www.lansingstatejournal.com/story/news/local/2016/11/08/ 
bwl-paid-25000-ransom-after-cyberattack/93488502/ 


BWL has filed a $1.9 million insurance claim for losses resulting from 
the attack. Peffley said. That figure represents $2 million in covered 
losses, minus a $100,000 deductible, he said. The claim has not yet 


been paid, officials said. 


This article provides an overview of the costs of a ransomware attack 
affecting the Lansing, Michigan Board of Water and Light in 2016. The 
attack did not affect water or power services but affected their customer 
service communications capabilities. Not only was the ransom of $25,000 
paid to the attackers but also millions of dollars to remediate the attack and 
train staff in new policies and procedures. Thus, this article reinforces the 


high cost of ransomware with clear examples. 
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prices for individuals and organizations at levels where paying the ransom is 
more cost-effective than attempting to retrieve backup data (Sophos, 2020), 
such attacks will persist. Additionally, ransomware operators are increasingly 
targeting corporate data housed in cloud storage, which may increase the need 


for victims to pay the ransom to avoid losing information (Sophos, 2020). 


For more details on the ways victims should respond to ran- 
somware, go online to: https://www.ey.com/en_us/consulting/ 


ransomware-to-pay-or-not-to-pay 


The Global Impact of Malware 


Computer security experts continue to express alarm about the current num- 
ber of malicious software programs and the increases they expect to see in the 
future. Unfortunately, the statistics over the last several years have not improved. 
Before providing additional statistics and insights, it should be pointed out that 
these companies profit by selling computer security services to individuals and 
corporations. Thus, it behooves them to discuss this issue as a crisis, though all 
available statistics appear to support their concerns. 

The number of new malicious software programs introduced into the wild 
each year is tremendous. Although the figures provided by different security 
companies vary widely, they demonstrate the magnitude of the malware prob- 
lem. Symantec (2019) reported that they found over 246 million new pieces of 
malware in 2018 alone. Similarly, SonicWall (2020) reported their software 
identified over 1.899 billion malware variants in the United States during the 
first six months of 2020 alone. Malware infections are also a global threat, with 
hundreds of millions of malware being found in the United Kingdom, and tens 
of millions of piece in India, Brazil, and Germany during the same period 
(SonicWall, 2020). Similarly, Symantec found that the highest rates of ransom- 
ware infections in 2019 were observed in China, India, the United States, Brazil, 


Portugal, and Mexico. 


For more details on the emergent threat of malware to various nations, 


go online to: https://securityintelligence.com/news/singapore-an- 


emerging-target-for-cyberthreats-and-banking-trojans 
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A review of US-CERT weekly vulnerability summaries, released by a gov- 
ernmental agency and part of the National Cyber Alert System, illustrates that 
the identification of vulnerabilities is a constant challenge. Each Cyber Security 
Bulletin provides a summary of the new vulnerabilities recorded during the past 
week by the National Institute of Standards and Technology (NIST) National 
Vulnerability Database (NVD). This database is sponsored by the Department 
of Homeland Security (DHS) National Cybersecurity and Communications 
Integration Center (NCCIC)/United States Computer Emergency Readiness 
Team (US-CERT). 

The vulnerabilities are categorized by severity (high, medium, and low) 
based on the Common Vulnerability Scoring System (CVSS) standard. For 
example, a vulnerability will be categorized as high if its CVSS score is between 
7.0 and 10.0, medium if between 4.0 and 6.9, and low if between 0.0 and 3.9. 
This information is made more informative by organizations and US-CERT 
providing additional information, including identifying information, values, 
definitions, related links, and patches if available. Any examination of these 
weekly vulnerability reports shows how many serious vulnerabilities are identi- 
fied and reported on a weekly basis. Dozens of pieces of software and hardware 
are included each week, particularly at a high vulnerability level, demonstrating 
the scope of threats facing the public. 


For more information, visit: https://us-cert.cisa.gov/ncas/bulletins 


Although this chapter primarily focuses on computer systems and their users, 
scholars and security experts also warn about the vulnerabilities of smartphones, 
particularly Android operating systems, and personal digital assistants (PDAs). 
Though mobile attacks are still less common relative to PC attacks, they are 
subject to the same forms of malware and creative attackers (F-Secure, 2017; 
Panda Security, 2015; Ruggiero & Foote, 2011; Symantec, 2019). In fact, 
Symantec (2019) found an increase in ransomware infections on mobile devices 
in 2018, particularly in the United States. In total, they identified 2,328 new 
variants of mobile malware in 2018 and blocked an average of 10,573 mobile 
applications every day. 

It is expected that there will be an increase in attacks against Android oper- 
ating systems because smartphones and PDAs have some of the same advanced 
computing abilities as traditional computer systems. They give the user access to 
the Internet and email, have address books, and have GPS navigation. They also 
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allow people to purchase items using wireless networks, access bank accounts, 
set alarms on houses, and make purchases through various online retailers. Thus, 
Android running devices are already at risk of the full spectrum of malware 
that affects PCs, including viruses, worms, trojans, ransomware, and others 
(F-Secure, 2017; Symantec, 2019). 

The issue that separates mobile devices from computers is their use of security 
protections. Smartphones and tablets have lax or poor security as they do not 
come preinstalled with firewalls or antivirus programs. These tools are available 
for purchase, though it is unclear how many individuals actually install antivirus 
protection on their mobile devices. In addition, operating systems for mobile 
phones are updated less frequently than those for computers, creating greater 
opportunities for attackers to exploit known vulnerabilities (Symantec, 2019). 
This problem is compounded by the fact that smartphone and mobile device 
users are generally unaware of these problems but believe that their devices are 
just as secure as their computers. Thus, smartphones present a clear risk point 
for malware writers who seek to harm user systems and gain access to sensitive 
data (F-Secure, 2017; Symantec, 2019). 

It is difficult to even create rough estimates on the amounts that hackers 
and malicious programs have cost citizens, organizations, government agen- 
cies, and the global economy. When considering the financial costs, one has 
to not only count the actual direct damage of the malware, such as having 
to replace a computer, but also the amount of time, money, and manpower 
spent trying to prevent an infection and then fix the problem if an infection 
occurs. Malware can disrupt network operations, delete, steal, or manipulate 
files, allow access to confidential files, and generally damage computer systems 
and hardware. In addition, there are the indirect costs to businesses that arise 
from consumer lack of confidence in online purchases or credit card usage. 
If consumers lose confidence in the security and privacy of their online pur- 
chases, they will be less likely to spend money online in general and with 
specific companies that had reported particular problems. On the other end, 
vendors themselves might also fear online transactions if they are unsure that 
the person on the other side is really who they say they are. In order to address 
these problems, companies and financial institutions spend billions of dollars 
on verification and other computer security programs to ensure safety. In the 
end, these costs increase the cost of doing business, which is handed down to 
the consumer. 


Over the last decade, various experts and companies have estimated that 


hack attacks cost the world economy over $1 trillion per year. Considering that 
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(1) more malicious software is created each year; (2) the number of special- 
ized hacks occurring throughout the world has increased; (3) more individuals 
around the world are connected to the Internet; (4) more companies conduct 
online business transactions; and (5) more companies and governments spend 
additional funds on computer security to address these problems, it is safe to say 
that the cost of malware must be higher than what is otherwise spent to mitigate 
and prevent malicious software infections and hacks. In fact, the total cost of 
cybercrime may reach 10.25 trillion dollars globally by 2025 (Morgan, 2020). It 
is extremely difficult, however, to create total costs of cybercrime estimates due 
to the disparity in available loss metrics. 

The costs of hacking and malware infection, however, are not only financial. 
There are also potential emotional consequences for victims, though there is 
little criminological research on the way that victims of malware infection and 
hacking incidents feel afterward. For many people, malware infection is nothing 
more than a minor nuisance that can be fixed easily. Some, however, may feel 
that their personal space was violated and personal privacy forever lost. Victims 
may not be able to identify the source of the infection, whether from a website, 
bad attachment, or other medium. As a result, some may change their online 
habits in order to reduce their perceived risk of future infections. 

In addition, some victims may feel that they are to blame for their victimi- 
zation experience. Since computer security principles currently revolve around 
self-protection practices, like the use of protective software, hard passwords, 
and careful online behavior, victims may see themselves as the source of their 


financial and emotional harm resulting from an infection. 


Hackers and Malware Writers 


Although hackers are often associated with the use of malware, not all hack- 
ers have the ability to create these programs. It takes some degree of skill and 
knowledge of programming languages, vulnerabilities, and exploits in order to 
create effective malware. There is a good demand for malicious code among 
hackers of all types as they can make an attack much easier to complete. As a 
result, the demand for malware can far surpass the capacities present in the cur- 
rent hacker community. 

The very limited body of research considering the activities and interests of 
malware writers suggests that they generally operate within and share the norms 
and values of the larger hacker subculture (see Chapter 3 for details). Mal- 


ware writers have a deep interest in technology, which is an absolute necessity 
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in order to identify distinct vulnerabilities in software or hardware and find 
innovative ways to exploit them. Writing malicious code can therefore be an 
exercise in creativity, as the individuals must challenge themselves and their 
understanding of the limits of an operating system and their own coding capa- 
bilities. For instance, the Elk Cloner virus mentioned earlier is an excellent 
example of creative malware coding as the author liked to play pranks and cre- 
atively apply his knowledge to computer systems. 

They may also be motivated by the desire to cause harm or get revenge 
against someone who they perceive to have wronged them (Bissett & Shipton, 
2000; Gordon, 2000). For instance, a system administrator named Andy Lin was 
sentenced to 30 months in a US federal prison in 2008 for planting a form of 
malicious code called a “logic bomb” on the servers of Medco Health Solutions 
where he worked for some time (Noyes, 2008). Lin installed a program in 2003 
that would execute its payload and wipe out all data stored on over 70 servers 
in the company’s network in the event he was laid off. When it appeared pos- 
sible that he would lose his job, he set the code to activate on April 23, 2004. 
The program, however, was unsuccessful. He therefore kept it in place and reset 
the deployment date to April 2005. A system administrator within the company 
found the bomb code in the system and was able to neutralize the code. While 
this scheme was unsuccessful, it demonstrates the inherent danger that malware 
can cause in the hands of the right actor. 

Writers may also develop a piece of malware because they believe they may 
garner fame or notoriety in the hacker community (Bissett & Shipton, 2000; 
Gordon, 2000; Holt & Kilger, 2012). In the late 1990s and early 2000s, the 
preponderance of worms and viruses led their creators to generate worldwide 
attention because of the harm they could cause to the majority of computer 
users around the world. That kind of attention could easily serve as an individ- 
ual’s calling card and help them to demonstrate their level of skill in order to 
gain a legitimate job in the security industry (Taylor, 1999). Alternatively, the 
author may simply be able to show everyone what they are capable of doing 
with enough careful planning and execution. 

As patterns of technology use have changed and individuals are increasingly 
using technology in all facets of everyday life, malware writers have begun to 
target these users to set up stable attack platforms based on networks of infected 
computers (Holt & Kilger, 2012). Virus writers and creators now recognize that 
not everyone has the ability to write such code, but if the actor is proficient 


enough as a hacker they will understand how to leverage a tool to their own 


benefit. As a result, malware writers are increasingly motivated by economic 
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Box 4.5 Interview with the Malware Writer Corpse 
Meeting the Swedish Bank Hacker 


http://computersweden.idg.se/2.2683/1.93344 


For the price of 3,000 dollars, our reporter was offered his personal 
bank Trojan. In an interview with Computer Sweden, the hacker 
behind the recent Internet frauds against Sweden’s Nordea bank claims 
responsibility for more intrusions. “99 percent of all bank intrusions are 


kept secret,” he insists. 


This in-depth interview with Corpse, the creator of a well-known trojan, 
describes why he made it. The account demonstrates that some hackers are 
clearly aware of how their programs have malicious application and will 


harm individuals on a global scale. 


gain through sales of tools and code to others in the community (Holt, 2013; 
Holt & Kilger, 2012). Typically, tools are advertised through forums and IRC 
channels and then direct negotiations occur between buyers and sellers. Direct 
sales of programs to others can generate a relatively healthy income that exceeds 
what may otherwise be available as a salary through existing jobs (see Box 4.5 
for details). Thus, malware writers share some common ideas with the larger 
hacker community, though the skill and sophistication involved in the creation 
of malware differentiate them from the larger population of unskilled or semi- 
skilled hackers. 


Legal Challenges in Dealing with Malware 


Despite the substantial harm that malware can cause, many nations have not 
criminalized its creation. The process of creating malware is an exercise in cre- 
ative thinking and innovation, which can be inherently valuable to the com- 
puter security community to better secure systems. Instead, most nations 
choose to prosecute malware use under existing statutes regarding computer 
hacking. The direct connection between malware use and hacking outcomes, 
such as data loss or manipulation, makes intuitive sense and creates a more 
streamlined criminal code without the addition of statutes that may not oth- 


erwise exist. 
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A few nations, however, have specifically defined malware in their criminal 
codes. The US Computer Fraud and Abuse Act includes malware-related 
offenses in addition to specific hacking-related offenses. The fifth statute of this 
act (18 USC § 1030(a)5) involves the use of malware, making it illegal to: 


1 knowingly cause the transmission of a program, information, code, or com- 
mand and thereby intentionally cause damage to a protected computer; 

2 intentionally access a protected computer without authorization and thereby 
recklessly cause damage; and 

3 intentionally access a protected computer without authorization and thereby 


cause damage or loss. 


The first portion of this statute recognizes the distribution of malware, though 
that term is not used in favor of the terms program, information, or code, as it 
provides greater latitude in the identification of viruses, worms, and forms of 
software (see Box 4.6 for details on the arrest and prosecution of the creator of 
the Melissa Virus). The remaining two items involve ways that malware can be 
used in the course of either reckless or intentional damage. If an individual is 
found guilty of violating this act, they may receive a fine and a prison sentence 
of two years to life depending on the severity of their actions (see also Chap- 
ter 3). For instance, if the use of malware leads to the death of another human 


being, they may be eligible for a life sentence. Though the likelihood of such 


Box 4.6 One of the First Modern Prosecutions for 
Malware Distribution in the United States 


Creator of “Melissa” Virus Will Get Jail Time 


http://usatoday30.usatoday.com/tech/news/2002/05/01/melissa-virus.htm 


The creator of the “Melissa” computer virus was sentenced Wednes- 
day to 20 months in federal prison for causing millions of dollars of 


damage by disrupting e-mail systems worldwide in 1999. 


This article provides a good roundup of the rationale for prosecuting 
David L. Smith for his role in the distribution of the well-known malware 
program called the Melissa virus, as well as the relative absence of arrests 


otherwise for similar activities across the globe. 
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an outcome is low, the recognition by legislators that malware may be used — 
intentionally or unintentionally — to cause harm in a real-world context is a 
clear step forward for federal prosecutors to fully pursue justice for the actions 
of cybercriminals. 

Since malware may be used to acquire sensitive passwords and other data, 
the CFAA now includes language criminalizing the sale or exchange of user 
information. Specifically, 18 USC § 1030(a)6 makes it illegal to knowingly 
sell, buy, or trade passwords or other information used to access a computer 
with the intent to defraud the victims. For instance, if an individual used a 
keylogging trojan to gather passwords and then sold that information to others, 
he may be prosecuted under this statute. Importantly, the computers harmed 
must be either (1) involved in interstate or foreign commerce or (2) operated 
by or for the federal government. This language is quite broad and may be 
interpreted to include a wide range of computers connected to the Internet 
owned or operated by civilians (Brenner, 2011). Currently, any individual 
found guilty of this crime may be fined and imprisoned for one to five years 
depending on whether the offender gained commercial or financial gain for 
their actions or if the value of the data exceeds $5,000. If, however, the indi- 
vidual is found guilty on multiple counts, they are eligible for up to ten years 
in prison (Brenner, 2011). 

The use of malware in order to extort funds from victims also led to the 
creation of CFAA language to criminalize threats to computer systems. 18 USC 
§ 1030(a)7 made it illegal for an individual to extort money or anything of value 
on the basis of (1) threats to cause damage to a protected computer, (2) threats 
to obtain information or affect the confidentiality of information from a com- 
puter without authorization or exceeding authorized access, or (3) damage to a 
computer when the damage was caused to enable the extortion. Anyone found 
guilty of this offense can be sentenced using the same guidelines for trafficking 
in passwords, namely, up to five years in prison and/or a fine, or up to 10 years 
in the event the offender has prior convictions. These laws can be used to pros- 
ecute the use of ransomware, as well as DDoS attack ransom attempts. 

In addition to these statutes at the federal level, the laws related to computer 
hacking and intrusions in all states in the United States can be extended to 
the outcomes associated with malicious software (National Conference of State 
Legislatures, 2020). Some states have criminalized the creation and distribution 
of malware, though they may not include those words. Instead, states like Cal- 
ifornia use the term “computer contaminants” or computer instructions as 


the programs contain code designed to damage, destroy, or transmit information 
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within a system without the permission of the owner (Brenner, 2011). The use 
of malware may constitute either a misdemeanor or felony depending on the 
harm caused and the individual’s access to sensitive data or information of a 
monetary value. 

Additionally, 26 states have specific language criminalizing either DDoS or 
DoS attacks (National Conference of State Legislatures, 2020). Six states (Cal- 
ifornia, Connecticut, Michigan, Texas, West Virginia, and Wyoming) have 
added language to their criminal code regarding the use of ransomware (National 
Conference of State Legislatures, 2020). Several of these states also experienced 
distinct ransomware attacks, which may have precipitated the creation of the 
legislation. Regardless, these states are interesting examples of the ways that indi- 
vidual states may adapt to cyberthreats, though states may still be able to sanction 
offenders who use ransomware under existing malware or trespassing statutes. 

Many other nations share similar legal frameworks regarding malware in 
that existing statutes concerning hacking can also be used to pursue malicious 
software cases. Few nations actually specifically criminalize the use of malware 
but rather apply existing laws regarding hacking in these incidents. Australia, 
Canada, and India are examples of this strategy. In the United Kingdom, the 
Computer Misuse Act 1990 has some utility to account for malware-related 
offenses as it criminalized unauthorized access to computer material and unau- 
thorized modification of computer material (see Chapter 3). This is a direct 
outcome of the use of malware, though the law did not allow for direct cases 
against malware writers. As a result, the Police and Justice Act 2006 extended 
and revised this section of law to account for malware distribution. The Act 
added three offenses related to “making, supplying, or obtaining articles for use 


in computer misuse offenses,” including: 


1 making, adapting, supplying, or offering to supply any article intending it to 
be used to commit, or to assist in the commission of, an offense under the 
Computer Misuse Act; 

2 supplying or offering to supply any article believing that it is likely to be used 
in the commission of offenses under the Computer Misuse Act; and 

3 obtaining any article with a view to its being supplied for use to commit or 
assist in the commission of offenses under the Computer Misuse Act. 


These offenses carry a maximum sentence of two years and a fine, though it 


has drawn criticism for its potential use to prosecute professionals and legitimate 


security tool developers (Brenner, 2011). 
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The Council of Europe’s Convention on Cybercrime does not specifi- 
cally include language on malware in order to avoid the use of terms that may 
become dated or irrelevant over time (Council of Europe, 2013). Instead, the 
existing articles of the convention can be applied in some way to malware used 
in the course of cybercrime. The most relevant language is currently included 
in Article 6 regarding the misuse of devices. Specifically, this article makes it 
a violation of law to produce, sell, or otherwise make available a program or 
device designed to access computer systems, intercept or harm data, and inter- 
fere with computer systems generally (Council of Europe, 2013). This article is 
not designed for use in prosecuting cases where individuals have penetration- 
testing tools or codes designed to protect computer systems. Additionally, this 
article allows flexibility for each nation to decide whether they want to include 
this language in their own criminal codes (Council of Europe, 2013). However, 
the use of malware can be criminally prosecuted under laws designed to pursue 


illegal access to systems. 


Coordination and Management in 
Addressing Malware 


Since malware is prosecuted using similar legislation to computer hacking, many 
of the same agencies are responsible for the investigation of these offenses (see 
Chapter 3). The Federal Bureau of Investigation in the United States, Metro- 
politan Police Central e-crime Unit (PCeV) in the United Kingdom, and other 
agencies all investigate these crimes. There is, however, a much larger body of 
private agencies and commercial entities involved in the detection and mitiga- 
tion of malicious software. 

One of the most prominent resources available for industry and businesses 
to help mitigate the threat of malware and insulate them from future attack are 
computer emergency readiness teams (CERTs). As noted earlier, the first 
CERT was born out of the Morris Worm, which demonstrated the need to 
develop a coordinated response to cyberthreats. As malware became more 
prevalent and damaging to the rapidly expanding population of Internet users 
in the mid-1990s, the need for coordinated responses to threats increased 


substantially. 


For more information on CERTs, go online to: www.us-cert.gov 
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There are now 555 publicly identified response teams in 95 nations around 
the world (FIRST, 2020). They may go by different names depending on loca- 
tion. Some nations or locations may use the term CERTs while others use the 
name Computer Security Incident Response Teams (CSIRT), but they 
serve generally similar purposes. There are 97 CERT or CSIRT groups in the 
United States alone. Some of these are housed in financial institutions like Bank 
of America and Scottrade, technology companies like IBM and Yahoo, while 
others are located in government agencies such as the National Aeronautics and 
Space Administration (NASA). The primary CERT within the United States 
(US-CERT Coordination Center) is now situated within the DHS’s Cyber- 
security and Infrastructure Security Agency (CISA) (ee also Chapter 10; 
DHS, 2020). It provides reporting mechanisms for vulnerabilities and threats to 
systems, as well as security tools to help patch and protect systems from attack 
(DHS, 2020). The CERT can also serve to analyze and track threats as they 
evolve for virtually any branch of government and civilian networks, includ- 
ing threats for both home users and businesses. They act as a focal point for 
the coordination of information concerning cyberattacks that threaten civilian 
infrastructure (DHS, 2020). 

At a global level, there are now CERTs or CSIRTs on every continent. 
The greatest representation of units is within industrialized nations. Given the 
wide distribution of teams and threats based on the resources within a given 
nation, there is a need for a unifying body to help connect all these groups 
together. The global Forum for Incident Response and Security Teams 
(FIRST) serves to coordinate information sharing and connections between 
all teams worldwide (FIRST, 2020). FIRST offers security courses, annual 
conferences for incident responses, best practice documents for all forms of 
incident response, and a full reference library of security research and mate- 
rials from across the globe. The Forum also creates working groups based on 
common interests or specific needs, such as their Special Interest Group 
(SIG), which links respondents together to discuss common interests in order 
to explore a topic of specific technology in order to share expertise. There is 
even an arm of FIRST that is connected to the International Standards Organ- 
ization (ISO) in order to help inform policies and standards for cybersecurity 
incident management, evidence handling, and vulnerability disclosure in the 
field (FIRST, 2020). 

Perhaps the most identifiable entities involved in the response to malware 


and hacking incidents are members of the antivirus and cybersecurity indus- 


try. There are dozens of companies offering security tools to protect desktop, 
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laptop, tablet, and mobile computer systems either for a fee or at no cost to 
the user to secure various operating systems, whether Mac OS, Windows, 
Linux, or mobile OSs. You may know some of the more prominent com- 
panies in the field and use some of their products, including BitDefender, 
Kaspersky, McAfee, Symantec, and Trend Micro. Most of these companies 
offer some type of antivirus software, which protects the user by checking 
incoming files and data requests to protect against active infection attempts 
in real-time and/or scanning existing files to detect and remove malware that 
may already be installed. Antivirus software works through the use of heu- 
ristics, or signature-based detection, where all system files on a computer are 
compared against known signatures or definitions of malware to determine 
whether an infection has taken place. Similarly, any attempted download is 
compared against known definitions of malware in order to eliminate the like- 
lihood of being actively infected. 

The benefit of antivirus software is that it can help to reduce the risk of mal- 
ware being able to actively infect a protected system. The use of heuristic detec- 
tion systems is, however, limited by their available knowledge. The definitions 
that the software has on file run the risk of being outdated every day, as new 
variants of malicious code are being produced all the time. Antivirus vendors 
have to create signatures for any new malware variant identified; thus, they are 
constantly updating definitions. In addition, there is no necessary agreement 
between security companies as to the name or classification for a specific form 
of malware. Some vendors may tag something as a trojan, while another labels 
it a virus, making it difficult to standardize the identification of malware gener- 
ally. If users do not have an up-to-date definitions file for their antivirus soft- 
ware before it starts to scan for infections, the risk of infection from new malware 
is increased (Symantec, 2021). If an individual never updates this information, 
then his or her antivirus software can do very little to protect the system from 
new threats. As a result, the value of protective software is severely limited by 
the knowledge and skills of both the end user operating the software and the 


continual advancements in malware in the wild. 


For more information on antivirus vendors, go online to: 


1. www.norton.com 
2. www.sophos.com 


3. WWW.avg.com 
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In light of the limitations of antivirus software and the challenges posed by 
malware generally, a nonprofit organization called the Anti-Malware Testing 
Standards Organization (AMTSO) was formed in 2008 (AMTSO, 2017). 
The organization exists to provide a forum to improve the process of malware 
identification and product testing, the design of software and methodologies for 
analysis, and identify standards and practices that can be implemented across the 
security industry. In fact, they have published a range of documents describing 
testing guidelines and standards for the analysis of malware and testing of secu- 
rity products. The AMTSO is comprised primarily of major security vendors, 
which is sensible given they have a vested interest in developing sound prod- 
ucts. Some have questioned whether this is a good thing, as the vendors may 
have little interest in truly assessing the quality of their products or revealing the 
limits of what their tools can do (Townsend, 2010). Thus, the AMTSO is one 
of the few entities, which attempts to police the antivirus industry, though there 


are limits to its capabilities. 


Summary 


The threat of malware is diverse and ever-changing, affecting virtually all forms 
of computer technology. Malicious software takes many forms, though the 
use of programs that blend various attack techniques into a single platform is 
increasingly common. The creation of malware is, however, a skill that only a 
few have and can implement in the wild. As a result, some have taken to selling 
their resources in open markets operating online, which increases the capabil- 
ity of less-skilled attackers while enriching talented programmers. The crim- 
inal laws available to prosecute malware users are substantive, though there 
are no necessary laws against actually writing malware. Thus, law enforcement 
agencies are not necessarily able to mitigate the threat of malware. Instead, the 
computer security industry has become the pertinent resource to minimize the 


threat of malware for the general public, governments, and industry generally. 
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Discussion Questions 


1. Since malware writers tend to target popular software and resources, 
what do you think will be the likely targets for infection over the next 
five years? Please explain why you think a certain target may be selected 
over another. 

2. Why do you think nations have not criminalized the creation of mali- 
cious software generally? Should the legal code be amended to reflect this 
activity? Why? 

3. If the antivirus software industry has grown since the 1990s, but mal- 
ware continues to evolve and expand, is it reasonable to say that they are 
effective in reducing infections? If vendors are not technically stopping 
infections, then how can we assess their real value? 
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Chapter Goals 


e Understand intellectual property and how piracy affects property 
owners 

© Realize the ways that hacking and cybercrime engender theft of intel- 
lectual property 

e Identify the ways that piracy has changed over time 

e Examine the ways that pirates justify their theft of intellectual property 

¢ Know the legal protections afforded to intellectual property and the 
legislation designed to protect digital media 

e Recognize the methods employed by property owners to deter or 
sanction intellectual property theft 


Introduction 


Over the last two decades, high-speed internet connectivity and the world wide 
web have transformed the way in which individuals access music, movies, tel- 
evision, and other forms of entertainment content. The ability to stream tradi- 
tional terrestrial radio stations online allows individuals to access content from 
anywhere around the world. At the same time, streaming-music services like 
Pandora and Spotify allow individuals to listen to only the content they most 
prefer and to share with friends. Netflix, Hulu, YouTube, and other streaming- 
video services allow individuals to watch television, movies, and clips on 
demand. Even e-reader devices like the Kindle and Nook tablets provide wire- 
less access to digital copies of books and magazines, allowing a virtual library to 
be transported and enjoyed anywhere. All of this content can even be enjoyed 
via smartphone applications, meaning you are no longer tethered to a television 
in order to view certain content. 

The technologies that sustain the media-saturated environment we now 
live in provide unparalleled access to any and all forms of entertainment. 
At the same time, they can be readily subverted in order to acquire, copy, 
and unlawfully distribute media that was illegally obtained. These activ- 
ities are commonly referred to as digital piracy, a form of cybercrime 
encompassing the illegal copying, using, or distributing of digital media 
such as computer software, digital sound recordings, and digital video 
recordings without the explicit permission of the copyright holder (Lee 
et al., 2018). When thinking about digital piracy, it is important to consider 
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other activities than illegally downloading movies and music. Rather, as 
the definition provided indicates, the term digital piracy is a large umbrella 
term that refers to copying, using, or distributing any form of digital media, 
including, but not limited to: music, movies, television shows, software, 
video games, and documents. 

As the readers of this textbook are probably aware, digital piracy is a com- 
monly committed offense. In fact, studies indicate that up to at least 40 percent 
of American college students, if not more, probably appear to have engaged 
in some form of piracy (Gunter, 2009; Higgins et al., 2009; Holt & Bossler, 
2015). Some studies find that basically almost all 18-24 year olds have ille- 
gally downloaded music at some point in their lives (Dawson, 2010). Digital 
piracy is of course not limited to the United States, with estimates from other 
countries equally as high. For example, over 70 percent of Finnish teenagers 
were found to have committed some form of digital piracy over the previous 
12 months in one study (Salmi, 2012). Another study found that more than 
half of Canadians between the ages of 16-34 years admitted to committing 
music piracy (Nandedkar & Midha, 2012). A study funded by the Asia Video 
Industry Association found that 49 percent of Filipino consumers accessed 
torrent sites or streaming piracy service websites (Asia Video Industry Asso- 
ciation, 2020). 

Piracy is so commonplace in fact that media companies fully expect their 
content to be made available for illegal download as soon as possible. The 
global spread of media markets also makes the rapid share of pirated content 
possible in ways that were not previously possible. For instance, the superhero 
film Avengers: Endgame was first released in Asian theaters on April 24, 2019, in 
advance of a release in North American and European markets (see Box 5.1). 
Within two days, the entire 3-hour film began to appear for download on 
piracy networks, making it possible for anyone to obtain the film prior to its 
theatrical release in their physical location. Additionally, a cable company in the 
Philippines aired a pirated version of the movie on one of their channels the 
day after its Asian premiere (Moon, 2019). The movie went on to make almost 
$3 billion globally, but some industry experts suggested that less popular film 
series would have been severely impacted by the prerelease of pirated down- 
loads (Abad-Santos, 2019). 


For more information on the rates of software piracy, go online 
to: https://gss.bsa.org/ 
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Box 5.1 Pirating Avengers: Endgame 


“Avengers: Endgame” Full Movie Hits Piracy Networks 
(Report) 


https://variety.com/2019/digital/news/avengers-endgame-pirated- 
online-china-1203196595/ 


Disney/Marvel’s “Avengers: Endgame,” poised to be the hugest movie 
opening in history, has hit piracy networks—two days before its U.S. 


premiere.... 


This article provides an overview of the challenge inherent in stopping 
piracy with the rise of global film markets and how this may affect the box 
office returns for the film Avengers: Endgame. 


In fact, this matches arguments made by those who regularly pirate materials 
in that they suggest downloading a movie, song, or piece of software does not 
cause any substantive harm (Hashim et al., 2018). Pirates argue that the eco- 
nomic loss associated with piracy should be relatively small by comparison to the 
millions or billions of dollars that media or software producers make. Such an 
argument may feel hollow to content producers, as they must make substantial 
investments in order to ensure they are successfully able to monetize their crea- 
tions. Current estimates suggest that digital piracy has massive economic impacts 
on the recording and film industries, with as much as $97.1 billion in losses to 
the film industry, and up to $95.4 billion for television producers (Letic, 2019). 
In fact, the company MUSO (2020) estimated that there were over 190 billion 
site visits to piracy portals online in 2018, with the majority originating from 
the United States. These estimates may not be reliable as their methodologies 
are not always made clear by the companies and organizations that produce 
these statistics. Regarding software piracy, the Business Software Alliance (BSA) 
(2019) reports that 37 percent of software globally is pirated. Evidence suggests 
software piracy is especially high in low-income countries where the ability 
to acquire media is limited relative to its cost. The BSA suggests that piracy is 
highest and remains high in Central and Eastern Europe, Latin America, and 
Asia relative to Canada, Europe, and the United States. 

Given the persistence of piracy, some have begun to question the value of 


pursuing criminal prosecutions against pirates in court. If copyright holders still 
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profit from their efforts despite individuals being able to access ideas and media 
for free, can any harm truly result from piracy? In fact, would the ability to 
access any and all information improve the open nature of society and stimulate 
creativity as a whole? The recently formed political group Pirate Parties Inter- 
national believes that reforming copyright laws to favor more open distribution 
would be a boon to society and foster transparency in governments across the 
world. This group has found success throughout the Americas, Europe, and Asia 


and may have far-reaching consequences for society over the next decade. 


For more information on Pirate Parties International, go online 
to: https://pp-international.net/pirate-parties/ 


In order to understand the current climate toward piracy, it is important to 
identify the changes in technology, the law, and societal perceptions of media. 
This chapter will provide a focused discussion of intellectual property and the 
evolution of piracy techniques over the last 30 years. The relationship between 
piracy and corporate intellectual property theft will also be examined to high- 
light the interesting dynamics that increase the likelihood of economic harm 
to companies. Additionally, the laws and tactics used to pursue pirates interna- 
tionally will be explored, so that readers understand the challenges posed by this 


offense in a globally connected world. 


What Is Intellectual Property? 


Before discussing piracy, it is important to understand how ideas and intellec- 
tual works are legally protected. For instance, this book has value because it is 
useful to readers as an assembled document with information synthesized from 
works, ideas, and information that already exist. Similarly, music, movies, art, 
and creative endeavors all have value to their developer, as well as prospective 
economic value. When an original idea that involves some creative expression 
is put into a fixed medium, such as being written down on paper or drafted on 
canvas using paint, it can be defined as intellectual property. Ideas become 
“property” because they are physically tangible works that can be viewed by 
others. Thus, any work of art, novel, design, blueprint, invention, or song can 
be intellectual property. 


Similarly, there are trade secrets that constitute intellectual property usu- 


ally held by businesses and corporations. A trade secret is typically defined 
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as information that is confidential to a business’ success and affects its general 
commercial value (Nasheri, 2005). For instance, the formula for Coca-Cola 
is unique to the brand and comprises a key piece of information that, if lost, 
would affect its ability to compete in the open market. As a result, companies 
are often extremely concerned if their trade secrets were to be stolen or acquired 
by someone outside of the organization. 

To protect an idea or work from being stolen, and to ensure that an indi- 
vidual receives appropriate credit for a creation, many people try to copyright, 
trademark, or patent an idea. These are all forms of legal protection for intel- 
lectual property that provide exclusive use of an idea or design to a specific per- 
son or company, the right to control how it may be used, and legal entitlement 
to payment for its use for a limited period of time. For instance, the logos and 
branding for a product like Coca-Cola or Apple are important symbols that 
link a product to a company and have been trademarked to ensure that they are 
not misused by other companies or individuals for their own gain. Similarly, 
copyright protections are automatically granted to an individual who creates a 
literary, musical, or artistic work of some type from the moment it is created 
in a fixed format like a recording or a typed and printed medium (Yar, 2013). 

It is important to note that while copyright protections are available in a 
cross-national context, there is a distinction with regard to US law. Individuals 
are given copyright protections from the time a work is created, though they 
must register their copyright with the government to ensure that they are given 
all necessary protection under the law. Specifically, an individual can only pur- 
sue criminal or civil actions through the state if the content creator has acquired 
a registered copyright or other legal protection. As a result, legal protection for 
intellectual property requires some forethought on the part of the creators to 


secure their ideas in the United States. 


For more information on copyright laws, go online to: 


1. www.copyright.gov 
2. www.ipo.gov.uk/types/copy-htm 


The ability to maintain and enforce copyrights and legal protections over 
intellectual property in the digital age, however, is extremely difficult due to the 
transitory nature of an idea and the ability to access information from anywhere 


at any given point in time. This is where the problem of intellectual property 
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theft, or piracy, has emerged as a substantive economic threat to artists and 
copyright holders. Our ability to access any work, be it cinematic, musical, or 
literary, through the Web, television, or streaming media has made it much eas- 
ier to reproduce works without notifying the original creator of our intentions. 
This means that copyright holders do not receive appropriate reimbursement 
and must find ways to ensure that their rights are upheld. As a result, copyright 
laws have evolved substantially in the last 30 years to ensure that individuals and 
corporations with legal rights to a piece of intellectual property are given their 
appropriate due. Additionally, those who wish to circumvent legal protections 
continuously change their behaviors in order to reduce the likelihood of detec- 
tion and risk of arrest. 


The Theft of Corporate IP Relative to Pirated Content 


It is clear that the rise of the Internet has created ample opportunities for fraud 
and theft through hacking and other means. While we traditionally focus on the 
ways these offenses affect individuals, hacking and acquisition of information 
have unparalleled impacts on businesses and corporations (Andress & Winter- 
feld, 2013; Nasheri, 2005). Such attacks that target corporate intellectual prop- 
erty can be especially costly, if it involves key designs or research, such as the 
source code of software, plans or formulas for equipment, or materials that 
involve costly up-front research expenses to develop. For instance, there are 
extremely high costs involved in the design and manufacture of commercial 
airplane equipment. Engineers must develop not only software, but hardware 
and materials that are then used to produce prototypes to be tested in the field. 
If the designs appear stable and survive testing, they can then be manufactured 
in large scale for sale to airlines and countries around the world. 

Mounting evidence demonstrates that some nations are sidestepping these 
upfront design and testing costs in favor of simply hacking the manufactures 
and nations who produce the equipment (Cimpanu, 2019; Nasheri, 2005). 
Once the attackers gain access to sensitive files, they are then exfiltrated and 
shared within government and industry circles in their home country. This 
was evident in the production of a new Chinese commercial aircraft called 
the C919 (Cimpanu, 2019; Mares, 2019). Nation-state backed hackers, as 
well as seemingly independent actors, coordinated their efforts by working 
with the Chinese government-run airline company Comac to selectively tar- 
get systems in various government and aerospace design companies, including 
Airbus and Boeing (Cimpanu, 2019; Mares, 2019). The information hackers 
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acquired would enable the Chinese government to produce various pieces of 
hardware and airplane parts within the country, rather than rely on foreign 
manufacturers. While it is not clear if these attacks will eventually increase the 
productivity and capacity of Chinese manufacturing, it is a clear demonstra- 
tion of why intellectual property theft is a damaging proposition to economic 
competition globally. 

The extent of the threat posed by intellectual property theft is often difficult 
to quantify through any tangible data points. As noted in Chapter 1, companies 
do not like to report when sensitive information is lost, especially if it involves 
potential proprietary information or corporate secrets that could undercut their 
competitive abilities in the open market. The earlier example related to airline 
production is similarly instructive as the companies affected in this incident 
provided little detail to the public on what materials were actually lost, only 
that compromises occurred (Cimpanu, 2019). As a consequence, estimates from 
the US government suggest the loss of corporate intellectual property, separate 
from digital piracy, is likely between $180 billion and $540 billion per year (The 
National Bureau of Asian Research, 2017). 

Given the substantive economic impact companies face from the loss of 
intellectual property, it would seem essential that violators are prosecuted to the 
extent possible. Legislators in the United States have consistently argued over 
the last decade that IP theft continues unabated because of the challenges present 
in proving that the act has occurred, and a lack of prosecutorial powers. Since 
much of the theft of IP stems from individuals in foreign nations, it is difficult to 
extradite and bring those persons to justice in a US courtroom. The airline inci- 
dent described earlier is somewhat exceptional, as the attacks involved Chinese 
nationals and insiders within these companies who were located in the United 
States and other locations where they may be successfully extradited (Cimpanu, 
2019). Those individuals were the first to be arrested, followed by the arrest of 
Chinese government official who coordinated efforts within independent hack- 
ers in 2018 (Cimpanu, 2019). It is unclear if such arrests will occur more often as 
greater efforts are made to crack down on IP theft, but it provides an important 
sign that the United States is taking the problem seriously. 

Increased prosecution will likely not be enough to stem the tide of intellec- 
tual property theft. The continued evolution of technology and the Internet 
create multiple avenues for compromise of sensitive intellectual property by 
nation-states, and even competing businesses. For instance, the growth of cloud 
storage hosting services has revolutionized the ways that information is shared 
within and outside of corporate environments. As more information begins to 
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appear on these services, they are often only as secure as the username and pass- 
word provided by users. Even if a business is savvy enough to avoid leaving key 
designs and plans out of these services, the presence of information about the 
employee team structures and roles of individuals may provide attackers with 
clues as to who and what to target next. 

Similarly, the increased reliance that companies have on temporary and con- 
tract employees may reduce the security of their intellectual property. Individu- 
als with no loyalty to a company and a fixed length of employment may be less 
inclined to implement full security protocols or report if they are experiencing 
problems that may signify they have been compromised. Since such employ- 
ees may also work remotely, they may be more at risk for loss of information 
through email or cloud storage portals. Thus, there are ample opportunities for 
intellectual property theft that are not easily eliminated. 


Counterfeiting, E-Commerce, and Intellectual 
Property Theft 


The increased use of the Internet by consumers to identify and purchase goods 
has also enabled fraudsters to find ways to distribute counterfeit goods through 
online outlets due to the large return on investment and low risk of detec- 
tion (Wall & Large, 2010). The sale of counterfeit goods is actually a form 
of intellectual property theft in which individuals create, distribute, and sell 
products that closely replicate or blatantly copy the original designs of a pri- 
vately owned product. The counterfeit product, however, is of a lower quality 
despite utilizing similar branding and designs to entice buyers, while none of 
the profits are returned to the original copyright holder (Wall & Large, 2010). 
As a result, counterfeiting can harm the economic health and reputation of a 
company due to the sale of poor-quality products utilizing stolen designs and 
intellectual property. 

Email is a particularly practical way to advertise counterfeit products because 
the creator can use language that suggests their prices are very low for high- 
quality items that otherwise make a social statement or help the buyer gain social 
position (Wall & Large, 2010). The same is true for the monetization of various 
social media platforms, such as Instagram, where vendors can set up convincing 
profiles using images and logos from the real brands to sell fake products (Solon 
& Ingram, 2019). They can use hashtags to help increase the visibility of their 


products and link out to online storefronts that may be difficult for consumers to 


differentiate from the legitimate brand’s sites (Solon & Ingram, 2019). 
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In fact, the lack of regulation in online markets enables sellers to offer 
counterfeit products, which may look like the authentic product, directly to 
consumers. Online spaces do not allow consumers to properly inspect an item, 
forcing them to rely on the images and descriptions of products (Solon & 
Ingram, 2019). As a result, counterfeiters can use images including legitimate 
brand logos and photos of the actual product to create advertisements that 
speak to the value and low cost of their merchandise (Balsmeier et al., 2004; 
Wall & Large, 2010). In turn, consumers are only able to evaluate the adver- 
tisement and may not realize they have been swindled until a poor-quality 
forgery or fake arrives in place of the original item. Furthermore, any regula- 
tory attempts taken by social media companies and brand owners to remove 
counterfeit accounts are easily defeated by creating new profiles (Solon & 
Ingram, 2019). 

Another reason counterfeiters may utilize email to advertise and lure in 
unsuspecting consumers is that they can easily drive traffic to the online mar- 
kets and websites that they manage. Alternatively, they may use existing mar- 
kets, like online retail sites, where they can artificially manipulate indicators of 
trust and reputation to appear more legitimate (Dolan, 2004). In fact, evidence 
from the brand protection company MarkMonitor (2017) found that 27 percent 
of respondents in a survey of individuals in ten countries unknowingly pur- 
chased counterfeit goods of all kinds. Many of these products came from online 
markets, search engine results, and social ads, suggesting they were identified 
through relatively traditional methods. 

Counterfeiters can also utilize auction sites and secondary retail markets 
online as a means to sell their products. For instance, an existing eBay seller 
profile that has been inactive can be stolen and hijacked by a fraudster in 
order to sell counterfeit products while appearing to be a reputable seller in 
good standing (Chua et al., 2007; Gregg & Scott, 2006). Sellers can also cre- 
ate accounts using fake names or addresses, making it difficult to locate the 
identity of the person responsible for the sale of fraudulent goods (Gregg & 
Scott, 2006). 

The Organisation for Economic Co-operation and Development (OECD) 
reported that the estimated value of imported fake goods worldwide was 
$509 billion in 2016, which was 3.3 percent of all global imports (OECD, 
2019). This included all physical counterfeit goods that infringe trademarks, 
design rights or patents, and tangible pirated products that would violate 
copyright protection. The overwhelming majority of these goods were 
footwear, representing 22 percent of all seized products, which is likely a 
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reflection of the high demand for unique, limited release shoes across global 
markets (OECD, 2019). At the same time, this does not include online 
piracy, which further affects retailers and copyright holders. Twenty-four 
percent of fake goods that were seized affected the intellectual property 
rights of US companies though corporations in France (17 percent), Italy 
(15 percent), Switzerland (11 percent), and Germany (9 percent) were also 
affected. Most all of these goods originated from China and Hong Kong, 
though a small percent also originate from various Southeast Asian countries 
(OECD, 2019). 

Limited research suggests that consumers who buy counterfeit goods wish 
to conform to current fashion norms and be part of the “it-crowd.” They want 
to position themselves within the social elite who own authentic versions of a 
counterfeit product (Wall & Large, 2010). Thus, counterfeit luxury goods allow 
sellers to “trade upon the perception of and desire for exclusivity and to extract 
its high value by deceiving consumers into buying non-authentic and often 
low-quality products” (Wall & Large, 2010, p. 1099). Evidence suggests that 
the most popular brands sought after by consumers seeking counterfeit prod- 
ucts are high-end luxury labels, including Louis Vuitton®, Gucci", Burberry®, 
Tiffany”, Prada®, Hermes®, Chanel®, Dior®, Yves Saint Laurent®, and Cartier® 
(Ledbury Research, 2007). The majority of counterfeit products purchased 
through email-based ads are clothes (55 percent), shoes (32 percent), leather 
goods (24 percent), jewelry (20 percent), and watches (26 percent) (Ledbury 
Research, 2007). 

Those consumers who are defrauded through eBay often have limited 
recourse to deal with the problem (Dolan, 2004). Currently, eBay does not 
offer monetary compensation to victims of fraud; the company will only log 
the complaint and mark the seller’s profile. PayPal and payment providers may 
absorb fraudulent charges, though this does not guarantee victims will be fully 
compensated. As a result, many victims of auction fraud do not know where to 
turn to file a complaint. Those who do complain to some agency often report 
dissatisfaction with the process (Dolan, 2004). However, their experiences do 
not keep them from engaging in online commerce, as more than 75 percent of 
victims go on to buy goods via auctions and e-commerce sites (Dolan, 2004; 
see Box 5.2 for details on the development of brand protection communities to 
minimize risk of purchasing counterfeit goods). 

In addition to counterfeit luxury goods, spammers frequently target pre- 
scription drugs and supplements through email and online advertising (Grow 
et al., 2006; Kaspersky, 2021). In fact, PwC (2017) estimated that counterfeit 
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Box 5.2. The Rise of Virtual Brand Protection 
Communities 


The rise of e-commerce and secondary-market sales has created unique 
opportunities for educated consumers to find products at very low prices. 
This system has also been exploited by counterfeiters and criminals as a 
means to dispose of fake merchandise with minimal difficulty as consumers 
are unable to examine their products prior to making a purchase. Given 
these risks, a number of so-called independent virtual brand communities 
have emerged online to help consumers make informed purchases. This 
term is largely born out of consumer research, referencing the fact that 
individual consumers band together online based on their shared interest 
in a specific brand or product (Muniz & O’Guinn, 2001). The group 
functions independently of the brand owner, operating by loyal customers 
as a means to share their commitment to the brand, communicate infor- 
mation and knowledge about its products, as well as the values they have 
imbued in the brand (Muniz & O’Guinn, 2001; Sloan et al., 2015). 

Brand communities can also serve as a resource to minimize losses due 
to counterfeiting by detecting counterfeit retailers in advance of a pur- 
chase (Basu & Muylle, 2003, p. 163). Evidence suggests consumers par- 
ticipate in brand communities to learn about products and quality, as well 
as user experiences (Millan & Diaz, 2014). In turn, consumers may be 
properly informed of the ways that a product should be marketed, how it 
should appear, and what vendors may be considered legitimately associ- 
ated with the brand (Royo-Vela & Casamassima, 2011). 

In particular, independent virtual brand communities can be a val- 
uable mechanism to authenticate products and sellers associated with 
a particular brand or industry (Basu & Muylle, 2003). Participants can 
share the potential red flags that are associated with counterfeit products 
and the perceived legitimacy of a vendor or their website (Mavlanova & 
Benbunan-Fich, 2010; Narcum & Coleman, 2015). There are a num- 
ber of these communities associated with brands, such as niketalk.com, 
which functions as a forum for enthusiastic fans of the Nike brand (and 
other athletic shoe brands) to discuss products, rate their performance, 
and authenticate online retailers and independent vendors operating on 
sites like e-bay.com. The site has no association with Nike but operates as 
one of the world’s largest online communities to discuss this brand. There 
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are similar forums for various retail categories, such as thebagforum.com 
operating as forum for individuals to discuss various purses and handbag 
makers and retailers, as well authenticate products prior to making a pur- 
chase. Thus, brand communities serve a vital role in assisting consumers in 
determining the legitimacy of a product and reducing the potential losses 


associated with counterfeit purchases. 
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drug sellers earn between $163 and $217 billion per year through sales on var- 
ious on and off-line platforms. Many counterfeiters target products that have 
high name recognition, such as Viagra, Cialis, and Lipitor, and various life- 
saving medications for HIV and malaria are common in various markets such 
as Africa (PwC, 2017). 
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For more on the dangers of counterfeit pharmaceuticals, go online 
to: https://www.strategyand.pwe.com/gx/en/insights/2017/fighting- 


counterfeit-pharmaceuticals/fighting-counterfeit-pharmaceuticals.pdf 


The substantial volume of pharmaceutical counterfeiting is directly related to 
the increased use of prescription drugs in the general population across the globe 
(Finley, 2009). Many individuals legitimately use prescription drugs for assorted 
pains and ailments, and a small proportion of the population are addicted to 
prescription pain medications (Crowley, 2004). Additionally, requesting some 
medications like those for erectile dysfunction may embarrass the patient and 
reduce their willingness to ask for it from their regular physician. Regardless, 
the cost of pharmaceuticals rose substantially over the last decade, making it 
difficult for some to acquire necessary medications (Crowley, 2004). 

The creation of internet pharmacies over the last ten years has enabled indi- 
viduals to access legitimate and illegitimate needs at a low cost and, in some 
cases, without prescriptions (Finley, 2009). In fact, the Pharmaceutical Secu- 
rity Institute (PSI, 2017b) has documented a 51 percent increase in the number 
of arrests involving the seizure of counterfeit drugs between 2011 and 2015. 
The quantity of drugs seized varies, though 33 percent of all those arrests made 
in 2015 involved over 1000 doses of a medication, while 56 percent involved 
less than that amount. Seizures involving smaller quantities have increased 
substantially over the last few years, which is due to the increased volume of 
counterfeit drugs being sold online (PSI, 2017b). This is also a global problem, 
with arrests made in 128 countries; however, the majority of arrests and sei- 
zures occurred in Asian countries during 2015 (PSI, 2017a). North American 
seizures and arrests also increased 100 percent from 2014 to 2015, which is 
again likely a function of purchases of counterfeit pharmaceutical products 
online (PSI, 2017a). 

Online pharmaceuticals present a substantial threat to consumers as they can 
obtain prescription drugs without an actual prescription. The United Nations’ 
International Narcotics Control Board (INCB) found that approximately 
90 percent of all pharmaceutical sales made online are made without a prescrip- 
tion (Finley, 2009). Similarly, the US General Accounting Office (2004) found 
that only 5 of the 29 pharmacies based in the United States required validation 
of a prescription before distributing drugs. Many online pharmacies hosted in 
foreign countries relied on medical questionnaires or required no information at 


all from the consumer in order to acquire a prescription (Finley, 2009). 
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As a consequence, it is difficult to distinguish legitimate online pharmacies 
from those designed expressly to sell counterfeit products to unsuspecting con- 
sumers. In fact, there is a distinct threat to consumer safety posed by the sale 
of prescription drugs online (Grow et al., 2006; Phillips, 2005; Stoppler, 2005; 
Tinnin, 2005). Unlike luxury goods counterfeiting, the consumers who buy 
from online pharmacies may not be cognizant of the potential for adultera- 
tion or outright useless ingredients included in these products. Stoppler (2005) 
reported that drugs purchased from illegal online pharmacies have the potential 
to: (1) be outdated or expired, (2) be manufactured in subpar facilities, (3) con- 
tain dangerous ingredients, (4) be too strong or weak, (5) contain the wrong 
drug, or (6) be complete fakes. In fact, the US Food and Drug Association 
reported that approximately 90 percent of all prescription drugs coming into the 
United States purchased through email or postal mail are dangerous and include 
minimal active ingredients (Tinnin, 2005). 

An additional concern lies in the difficulty of regulating or deterring illegal 
online pharmacies. This is a consequence of the anonymity afforded by the 
Internet and computer technologies. Offenders can quickly create a pharmacy, 
sell products, and either move their website to a different address or completely 
disappear before law enforcement can begin a proper investigation. In addition, 
the website creators can set up their web address to appear to be hosted in any 
country and utilize branding and imagery that would make the site appear to be 
legitimate. For instance, LegitScript and KnujOn conducted an investigation of 
“rogue” internet pharmacies designed to “sell or facilitate the sale of prescrip- 
tion drugs in violation of federal or state laws and accepted drug safety stand- 
ards” through the search engine bing.com (LegitScript & KnujOn, 2009). The 
authors were able to identify ten rogue pharmacies advertising on the search 
engine, though they were all removed within days of their initial investiga- 
tion. The authors were, however, able to obtain a prescription drug without an 
actual prescription through another rogue pharmacy advertising on bing.com 
(LegitScript & KnujOn, 2009). Thus, the problem of counterfeit pharmaceuti- 
cals poses a potentially serious risk to vulnerable populations and is a direct result 
of intellectual property theft. 


The Evolution of Piracy and Pirating Methods 


We will now shift to a discussion of a more digital form of intellectual prop- 
erty theft: digital piracy. The theft of music and video recordings existed prior 


to the emergence of the Internet. The development of affordable audio and 
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video recording equipment in the 1970s and 1980s enabled individuals to eas- 
ily record music or videos during live concerts as well as radio and television 
broadcasts. For example, the audiotape allowed individuals to record songs and 
programming on the radio while it played live. This allowed individuals to 
create “mix tapes” with content that was aired for free. Similarly, the Video 
Home System (VHS) tape and home video cassette recorder (VCR) allowed 
individuals to record content from their televisions and replay it at a time of 
their choosing (Hilderbrand, 2009). In turn, those with multiple VCRs could 
connect them together in order to create “bootleg” tapes by playing content 
on their television while recording it on another VCR at the same time. This 
method could be applied in order to obtain free copies of films that were still 
prohibitively expensive for purchase but inexpensive to rent from various retail 
outlets (Hilderbrand, 2009). 

Moving into the 1990s, the emergence of the compact disc (CD) helped 
usher in a change in the way in which media was recorded, formatted, and 
handled (Nhan, 2013). Vinyl records and cassette tapes were the standard media 
format of choice for many; these were analog formats, meaning that the sound 
waves produced by musicians, while playing, are reproduced in an analogous 
electrical signal that is then replicated into variations in the recording medium, 
such as the grooves on a record. The CD, however, was a digital medium, 
whereby sound waves were converted into a sequence of numbers that were 
then stored electronically. This format was thought to be of superior quality to 
traditional analog recordings and had the potential to be much less expensive 
than other formats to produce. As a result, media companies could obtain a 
higher rate of return on investments for their intellectual property. 

In 1996, the Motion Picture Experts Group (MPEG) was actively working 
with the International Organization for Standardization (ISO) to develop a 
mechanism to compress large audio and media files into a smaller size for distri- 
bution over the Internet (Nhan, 2013). Since most users at this time used dial-up 
Internet connectivity, the connection speeds and volume of data that could be 
downloaded were relatively slow and small. Thus, they developed the MP3 
format in order to compress audio files, which became the industry standard 


for compression and media formatting (Nhan, 2013). 


For more information on the evolution of MP3, go online to: 
www.npr.org/blogs/therecord/2011/03/23/134622940/the-mp3-a- 
history-of-innovation-and-betrayal 
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The release of the MP3 format led to the creation of MP3 players, like 
Winamp, for desktop computers. These programs became extremely popular 
and the first portable MP3 player was produced and marketed just three years 
later, in 1999. In turn, individuals were able to use this compression standard 
to their advantage in order to pirate media and share it with others through 
various services (Nhan, 2013). In fact, the production of desktop computers 
with CD drives that could both read and write onto CDs made it tremen- 
dously easy to duplicate and pirate materials with immediate gratification and 
minimal risk. 

The same can be said for DVDs and BluRay media, which provide 
high-quality image and sound in a format that can now be readily cracked 
and shared. There are now various “ripping” software programs that allow 
users to remove Digital Rights Management (DRM) protection from media 
in order to copy content to a storage device. In fact, the company 321 Stu- 
dios in the United States developed a software product called DVD X Copy 
that allowed users to copy any DVD movie to a blank DVD (Karagiannis 
et al., 2004). This program required no technical knowledge, rather the user 
simply installed the software and followed the prompts in order to copy the 
media. An injunction was brought against the company that forced them to 
shut the service down in 2004, but various programs are available that pro- 
vide the same facilities. 

The availability of pirated materials has been intimately tied to the evolution 
of technology and the role of computer hackers who develop tools to enable 
piracy. Media and software companies have always utilized tools to minimize 
the likelihood of their intellectual property being copied. In fact, hackers in 
the early 1980s began to subvert protections on software in order to share pro- 
grams with others (Meyer, 1989). The individuals who posted and shared pro- 
grams were commonly referred to as warez doodz, which is a combination of 
the words “software” and “dudes.” Their warez, or pirated files, were initially 
distributed through password-protected Bulletin Board Systems (BBSs), and 
individuals could gain status by providing access to new or hard-to-find files 
(Meyer, 1989). Thus, warez doodz were important players in the early days of 


the hacker scene. 


For more information on the early days of piracy, go online to: 
http://arstechnica.com/gadgets/2014/01/modems-warez-and-ansi-art- 
remembering-bbs-life-at-2400bps/ 
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As technology became more user friendly, and the cost of Internet con- 
nectivity decreased, warez creation and sharing became more prominent. The 
techniques to share files, however, began to change with innovations in the 
technology and creative computer engineering. For instance, the risk associ- 
ated with sharing cracked or pirated files through single servers or web-based 
repositories increased because a law enforcement agency could take out that 
one server and eliminate all access to the files (Nhan, 2013). Thus, the develop- 
ment of various peer-to-peer (P2P) file-sharing protocols in the late 1990s 
enabled file sharing directly between users, which dramatically reduced the 
likelihood of detection. For instance, the development of Internet Relay Chat 
(IRC) channels in 1998 allowed users to connect and communicate with others 
in literally thousands of chat rooms established and run by various individuals 
(Cooper & Harrison, 2001) This was, and still is, a communications vehicle for 
technologically savvy users and was initially populated by those involved in the 
hacking and warez scenes. 

The social nature of IRC coupled with its global reach led many to use it 
as a means to engage in direct file sharing, particularly for software and music 
(Cooper & Harrison, 2001). Typically, individuals would enter a chat room 
and specify what they were looking for, and a user with those materials would 
negotiate with that person in order to get some files in return. The reciprocal 
relationships that developed in IRC fostered the formation of a piracy subcul- 
ture where individuals were judged on their ability to find and access programs 
or files and share them with others (Cooper & Harrison, 2001). 

While the technical nature of IRC limited its use as a file sharing service to 
more technically literate populations, the larger population of Internet users was 
able to engage in piracy through the development of the program Napster in 
1999 (Alderman, 2008; Nhan, 2013). This freely available specialized software 
was developed by Shawn Fanning and others in order to provide an easy-to- 
use program to share MP3-encoded music files between computer systems. 
Specifically, a user needed to download the Napster program, which would 
connect that computer to the larger network of user systems that also had the 
program installed (Nhan, 2013). Users would then select a folder or folders that 
they wanted to share with others, which would then be indexed onto servers 
maintained by the Napster Corporation (Alderman, 2008). This allowed users 
within the network to quickly identify media that they wanted and be directly 
connected to the appropriate computer to complete the download. 

Napster became an extremely popular file-sharing service in a short amount 
of time (Alderman, 2008). In fact, over 2.7 billion music files were traded 
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between Napster users in February 2001. The development and adoption of 
high-speed internet connectivity for home users also stimulated involvement in 
piracy. Individuals could download several complete songs in the time it took 
to obtain one file through traditional dial-up connectivity. Thus, Napster played 
a pivotal role in the growth of the piracy problem. 


For more information on the government debates over Napster, 


go online to: www.c-span.org/video/?159534-1/records-v-napster 


The popularity of Napster, however, was stymied by lawsuits brought against 
the corporation by the heavy metal band Metallica and A&M Records in 2001 
(Alderman, 2008). These suits argued that the service was facilitating piracy and 
negatively impacting the financial well-being of artists and recording compa- 
nies (McCourt & Burkart, 2003). These lawsuits forced Napster to become a 
paid service, which quickly declined in popularity. Several other P2P services 
quickly took its place, such as LimeWire and Kazaa, which utilized similar pro- 
tocols in order to connect users and distribute media. 

Shortly after the decline of Napster, a new file-sharing protocol called Bit 
Torrent emerged that became extremely popular. The use of torrent sharing 
software allows concurrent uploads and downloads of media through multiple 
sources (Holt & Copes, 2010). Specifically, users must download a torrent client, 
which connects them to the larger network of users. From there, a person can 
search for a piece of media he/she wants to download through various indexing 
services (Holt & Copes, 2010; Nhan, 2013). Once they find that movie or music, 
they then begin to download the file by connecting to a series of user computers 
who have that file, referred to as “seeders.” The torrent protocol links the down- 
loader to an indexed list of all seeders and captures bits of the full file from multi- 
ple users at once (Nhan, 2013). This process makes downloading much faster and 
decentralized in order to make it more difficult to disrupt the network of file 
sharing. As a result, the torrent protocol is a true P2P mechanism because of the 
ability to access the required file directly from dozens of users at once. 


For more information on torrents, go online to: www.bittorrent.com/ 


Torrent clients became extremely popular in the mid-2000s and were 


thought to have accounted for over half of all pirated materials online by 2004 
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Box 5.3 Changing Film Practices and Their Impact 
on Piracy 


Studios Are Experimenting with Film Release Models. Here’s 
What that Could Mean for Movie Piracy 


https://www.cnbc.com/2021/01/02/studios-experiment-with-release- 
models-what-that-means-for-film-piracy html 


Heading into 2021, piracy experts told CNBC that they have theo- 
ries about how pirates will react to these different models, but aren’t 
entirely sure what will happen. 


This article provides an overview of thoughts about the ways that piracy 
will change as the practices of film studios adapt to the COVID-19 pan- 
demic and its impact on the entertainment industry overall. The experts 
quoted provide some interesting opinions on the ways that piracy rates 
and practices may evolve in tandem with changes in the release models of 
movies to online streaming platforms in lieu of theatrical releases. 


(Pouwelse et al., 2005). In fact, one of the most popular resources in the torrent 
community is The Pirate Bay (TPB), which maintains indexed torrent files 
for music, software, video games, and new-release movies. The group operates 
out of Sweden and has been in existence for years despite being raided by police 
and having three of its key operators convicted of copyright law violations 
requiring one year in jail and millions of dollars in fines (Nhan, 2013). As a 
result, torrents appear to be the latest file-sharing mechanism available to pirates, 
though this may change in the next few years with innovations in technology as 
a whole (see Box 5.3 for detail). 

To that end, a few trends have emerged in piracy practices based on the pro- 
liferation of high-speed internet connectivity and streaming media consump- 
tion. First, many pirates are now actively encouraged to use virtual private 
networks (VPNs) when seeking to download torrent files. A VPN is a tool 
individuals can use to hide their IP address and physical details, as the VPN 
becomes the front-facing IP address that would be logged whenever an indi- 
vidual connects to a torrent client to access files (Holt & Copes, 2010). Such a 
strategy helps to minimize a pirate’s risk of detection or potential sanction by 
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service providers because their personal information cannot be readily identified 
(Maxwell, 2013). 

Second, the use of streaming media services like Netflix, Hulu, and other 
applications has become extremely popular, and a standard way to consume 
television and film content. Interestingly, there is some evidence that pirates are 
now streaming pirated content to consume it rather than downloading it and 
viewing it off-line (MUSO, 2020). A 2018 report from the MUSO corporation 
found that 53.2 billion visits to film and television piracy sites were to streaming 
sites in 2017. In addition, mobile devices are being increasingly used to identify 
and pirate materials that present a change in piracy behaviors generally (MUSO, 
2020). Thus, it is necessary to constantly monitor the practices of pirates as they 
continue to change their methods due to shifts in entertainment consumption 
habits and technology. 


The Subculture of Piracy 


The digital piracy subculture has clear similarities and overlap with the hacker 
subculture discussed in Chapter 3. A hierarchy exists within the digital piracy 
subculture in which members can gain respect based on their skills and ability to 
create and share files with others (Holt & Copes, 2010; Steinmetz & Tunnell, 
2013). Pirates who have a higher upload-to-download ratio, meaning that they 
share more digital files than they receive from others, are viewed with more 
respect as contributing members of the subculture (Steinmetz & Tunnell, 2013). 
Since true members of the digital piracy subculture believe that information and 
knowledge is supposed to be free, pirates who attempt to profit from selling dig- 
ital files to others are condemned and are seen as antithetical to this foundational 
premise of the subculture (Holt & Copes, 2010). 

Persistent pirates appear to develop large collections of media or content 
in order to have complete discographies or works by an artist or television 
show (Cooper & Harrison, 2001; Downing, 2011). As a result, those pirates 
who can share unusual or exotic materials with others are able to generate 
status within the subculture. Their ability to distribute these materials allows 
them to develop a reputation for file sharing that leads to respect from both 
casual and persistent pirates (Cooper & Harrison, 2001; Downing, 2011). 
The desire for exotic materials may have influenced TPB’s decision to con- 
tinue to host torrent files that had fewer than ten people sharing it, despite 


no longer hosting torrent files generally in February 2012. The operators 


indicated that they wanted to keep content available to all regardless of the 
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form of torrent software they used, while also keeping their own costs down 
(Van Der Sar, 2012). 

Digital pirates, like hackers, can also gain respect in the subculture through 
their knowledge and skills. Digital pirates must have the knowledge to be able 
to discern legitimate digital files from “poisoned” files (1.e., files that the music 
or movie industry contaminate with malicious software) before downloading 
and sharing files with others. Not being able to distinguish between these types 
of files will lead to ostracism in the subculture (Holt & Copes, 2010), similar to 
how script kiddies are treated within the hacker subculture. Similarly, pirates 
who are able to remove the DRM protections that producers have attached 
to digital files, and share those products freely with others, have a higher status 
within the subculture (Steinmetz & Tunnell, 2013). The successful removal of 
these protections for a highly coveted digital file provides the pirate clear evi- 
dence to other members in the subculture of their skills, knowledge, effort, and 
dedication to the subculture, similar to a successful hack in the hacker subculture. 

Within the existing research on piracy, there are specific justifications that 
pirates use to support their behaviors, regardless of the materials they acquire. One 
of the most common beliefs of the digital piracy subculture is denying any injury 
occurs to corporations or individuals as a result of their piracy. Most pirates view 
digital piracy as a victimless crime in which no one is hurt (Hashim et al., 2018). 
They argue that piracy involves copying a digital file and does not deprive the 
owner of the original file or work (Yu, 2010). They therefore view pirating media 
as something much different than the stealing of physical copies of media via shop- 
lifting and theft (Holt & Copes, 2010). Thus, they are not ignoring the harm that 
is being caused; they reject the idea that they are causing any harm (Brown, 2016). 

Pirates often also believe that media corporations should not be viewed as 
“victims” of digital piracy because of the pirates’ perceptions of the high prices 
of movies, music, software, and video games as a result of greedy corporate 
practices (Holt & Copes, 2010; Steinmetz & Tunnell, 2013). Pirates may simply 
argue that they could not afford to pay those perceived high prices. Pirates often 
also argue that piracy cannot be that wrong if almost everyone, especially those 
in their age group, appear to be pirating music and movies (Smallridge & Rob- 
erts, 2013). Even if they thought that pirating was inappropriate, they may feel 
that it is unfair that they have to pay for these forms of entertainment if everyone 
else is getting them for free. Some pirates may also simply claim that they did 
not know that what they were doing was illegal (Steinmetz & Tunnell, 2013). 

The benefits of piracy are quite high as a person can obtain what they want 
with no cost and minimal risk of detection. The immediate material benefits 
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also facilitate larger individual interests in certain artists, genres, or gaming sys- 
tems. For instance, media pirates report that they might download a single epi- 
sode of a television show or piece of music to determine if they might enjoy 
the product, a technique or belief sometimes referred to as “Claim of Future 
Patronage” (Holt & Copes, 2010; Smallridge & Roberts, 2013; Steinmetz & 
Tunnell, 2013). If they find it entertaining, then they may actually buy the full 
season of that show or pay for other music by an artist so that they can enjoy the 
product in a better format. Similarly, individuals who pirate older video games 
indicate that their downloading helps to maintain their interest in older consoles 
and gaming systems (Downing, 2011). In fact, Downing (2011) argues that 
video game piracy may be a consequence of the general success and popularity 
of video games rather than a source of market failures. 

At the same time, there are certain risks that arise as a consequence of engag- 
ing in piracy that cannot be ignored. There are clear legal risks that may come 
from violating copyright laws, such as fines or potential arrests depending on 
the depth of one’s involvement in piracy. The decision-making processes of 
pirates, however, do not appear to be impacted by the deterrent influence of 
legal sanctions (Al-Rafee & Cronan, 2006; Gillespie, 2006; Gunter, 2009; Holt 
& Copes, 2010). This is clearly evident in the continuous attempts to take down 
TPB and other torrent groups. Most all of these sites, particularly TPB, persist, 
which suggests that they can withstand any attempt to remove pirated content 
from the Internet. 

Similarly, a persistent pirate noted: “I think the govt/companies pick people 
to make an example out of them ... I think they take someone who they know 
cannot pay for it or is a regular person and try to make an example out of them 
to scare people” (Holt & Copes, 2010, p. 638). In fact, most individuals are able 
to justify their piracy based on the notion that they do not otherwise shoplift or 
steal CDs, software, and games from bricks-and-mortar stores. For instance, one 
individual involved in gaming piracy suggested, “Piracy is not Theft. It’s piracy” 
(Downing, 2011, p. 765). Thus, the subculture of piracy appears to support and 
justify these behaviors in a variety of ways. 


The Evolution of Legislation to Deal with Intellectual 
Property Theft 


Though digital piracy is a recent phenomenon, the larger issue of protection for 


intellectual property is quite old. In fact, there have been laws pertaining to cop- 


yright in existence in England since the mid-1600s. These laws were primarily 
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designed to restrict the ability to reproduce materials at a time when printed 
type and the ability to read were still highly restricted to the wealthy classes. As 
technologies related to printing, recording, and photography evolved, so too 
did laws pertaining to the ownership and management of intellectual property. 


Berne Convention 


The recognition ofa need for consistent international protections for intellectual 
property came to the fore in the late 1800s. At that time, copyright protections 
were only afforded in the nation where they were published. A book published 
in France could be copied and sold in other countries with no concern for either 
the existing copyright or the author. This was particularly important because of 
the differences in the Anglo-Saxon concept of “copyright” which focused on 
economic issues with the French concern of the “right of the author.” Thus, 
nations became concerned about the ways that intellectual property would be 
handled and protected internationally. These concerns led to an international 
agreement on copyright laws at the Berne Convention for the Protection 
of Literary and Artistic Works, also known at the Berne Convention, in 
Berne, Switzerland in 1886. The original signees of the Berne Convention were 
the United Kingdom (although much of it was not implemented in the United 
Kingdom until the passage of the Copyright, Designs and Patents Act of 1988), 
France, Belgium, Germany, Italy, Spain, Switzerland, Haiti, Liberia, and Tuni- 
sia (WIPO, 2021a). 

In addition to the important copyright agreements discussed below, the 
Berne Convention set up bureaus to handle various administrative tasks and 
to develop protections and frameworks for intellectual property. Two of these 
bureaus merged and became the United International Bureaux for the Pro- 
tection of Intellectual Property, which later became the World Intellectual 
Property Organization (WIPO) in 1967 (WIPO, 2021b). In 1974, WIPO 
was integrated as an organization within the United Nations. Today, the WIPO 
has 193 nation members. It is a self-funding agency of the United Nations that 
provides a “global forum for intellectual property services, policy, information 
and cooperation” (WIPO, 2021b). Their mission is “to lead the development 
of a balanced and effective international IP (intellectual property) system that 
enables innovation and creativity for the benefit of all” (WIPO, 2021b). 

The Berne Convention’s primary focus was to protect authors’ works and 
rights by ensuring that copyright laws of one nation were recognized and applied 
in other places (WIPO, 2021a). It accomplished this by focusing on three basic 
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principles. The first principle is the principle of national treatment, which states 
that works created in any of the signatory nations must be provided the same 
protection as that of works originating in that nation. Second, the principle of 
automatic protection states that protection must not be conditioned upon com- 
pliance with any formality. This means that works are automatically protected 
when they are “fixed,” or recorded on a physical medium, and that authors 
must not be required to register their work. Third, the principle of independ- 
ence of protection holds that protection is independent of any existence of 
protection in the work’s country of origin (WIPO, 2021a). 

In addition, the Berne Convention provided the minimum standard of 
protection that must exist to protect authors’ works and rights. For instance, 
Article 2(1) of the Convention holds that protections have to be made for all 
works, including “every production in the literary, scientific and artistic domain, 
whatever the mode or form of its expression.” In addition, the following rights 
were recognized as exclusive rights of authorization: (1) the right to translate; 
(2) the right to make adaptations and arrangements of the work; (3) the right to 
perform in public dramatic, dramatico-musical and musical works; (4) the right 
to recite literary work in public; (5) the right to communicate to the public the 
performance of such works; (6) the right to broadcast; and (7) the right to use 
the work as a basis for an audiovisual work, and the right to reproduce, distrib- 
ute, perform in public, or communicate to the public that audiovisual work. 
Finally, the Convention provided for “moral rights,” meaning that authors have 
the right to claim ownership of their work and object to any action that may be 
considered prejudicial to the author’s reputation (WIPO, 2021a). 

The Berne Convention also clarified the duration of the copyright protec- 
tion. For most works, the general rule is that protections must be granted until 
50 years after the author’s death. There are several exceptions. For example, 
anonymous work is protected for 50 years after the work was lawfully made 
available to the public unless the author’s identity becomes known, in which 
case the general rule would apply. Audiovisual work must be protected for 
a minimum of 50 years after being made available to the public, of if never 
released, 50 years after being created. Applied art and photographic works must 
be protected for a minimum of 25 years after the work was created (WIPO, 
2021a). Finally, copyrighted work cannot be protected longer internationally 
than it is in the country of origin, referred to as the “rule of the shorter term.” 

Although the Berne Convention concluded in 1886, it was later revised in 


1896 in Paris and in 1908 in Berlin, finally being completed in Berne in 1914. 


The Convention continued to see many revisions and amendments over the 
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next century, as it was revised in 1928 (Rome), 1948 (Brussels), 1967 (Stock- 
holm), and in 1971 (Paris), and amended in 1979. The Appendix to the Paris 
Act of the Convention importantly allowed developing countries to translate 
and reproduce works in certain cases connected to education (WIPO, 2021a). 

As of the end of 2020, 177 nations were parties to the Berne Convention 
(WIPO, 2021c). The large number of nations who are parties to the Berne 
Convention is a result of all World Trade Organization nation members need- 
ing to accept almost all of the conditions of the Berne Convention under the 
Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS 
Agreement). They are not bound to the moral rights provisions of the Conven- 
tion (WIPO, 2021a). 

The United States, however, did not enter into force in the Berne Con- 
vention until 1989. The United States’ primary concerns with ratifying the 
treaty were its reluctance to change its copyright laws which require copyright 
works to be registered. The United States had instead ratified other Conven- 
tions throughout the 20th century, such as the Universal Copyright Conven- 
tion in 1952, to address some of the other issues regarding copyrights. Even 
with the United States ratifying the Berne Convention, citizens who create 
a work that they want to be protected in US courts have to obtain a copyright 
within the United States to ensure they receive equal protection under the law. 
For instance, if a US citizen or organization develops intellectual property and 
feels that their idea has been infringed upon, they cannot legally file suit unless 
they have received a copyright there (Brenner, 2011). 


Copyright Act of 1976 


The United States has had criminal penalties for the infringement of pro- 
tected intellectual property, however, since 1909 (Copyright Act of 1909). 
Interestingly, the United States also removed the power to prosecute copy- 
right infringement cases from state courts in 1976 with the introduction of the 
revised Copyright Act of 1976, which introduced new criminal sanctions 
under Titles 17 and 18 of the US Criminal Code (Brenner, 2011). Currently, 
the most stringent legal statutes in the US pertaining to copyright infringement 
are contained under Title 17 of the US Criminal Code (506), which make 
it a federal crime for someone to willfully infringe an existing copyright for 
either commercial advantage, private gain, or by reproducing or distributing 
one or more copies of a copyrighted work with a value of more than $1,000 in 


a 180-day period (Brenner, 2011). In fact, distributing or reproducing one or 
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more copyrighted works with a value of at least $1,000 in a 180-day period can 
lead to misdemeanor charges. A felony charge requires that a person reproduce 
or distribute at least ten copies of one or more copyrighted works with a total 
value of more than $2,500 within 180 days (Brenner, 2011). As such, persistent 
pirates would be more likely prosecuted with felony charges, such as the mem- 
bers of TPB. 

This statute is commonly used to prosecute software piracy due to the high 
costs associated with certain forms of commercial software. For instance, pop- 
ular design software programs like Photoshop or AutoCad can cost hundreds 
of dollars for a single copy. Thus, an individual who makes two copies of this 
program could easily be charged with a misdemeanor under this law. The low 
cost of music and movies makes it much more difficult to successfully prosecute 
an individual under these statutes due to the massive volume of materials they 
would have to reproduce. 


WIPO Copyright Treaty 


Even with the multiple revisions to the Berne Convention over the 20th cen- 
tury, copyright owners did not feel that the Convention appropriately protected 
the rights of authors in a new digital age. Thus, the WIPO Copyright Treaty 
(WCT) was passed in 1996 and entered into force in 2002 to provide fur- 
ther copyright protections to two types of works: (1) computer programs; and 
(2) databases, or compilations or data or other material, in which the selection 
or arrangement of the contents constitute intellectual creations (WIPO, 2021d). 

The WCT also granted three additional rights to authors: (1) distribution; 
(2) rental; and (3) communication to the public. The right of distribution 
includes the authorization to make available to the public the original and cop- 
ies of the work through either sale or transfer of ownership. The right of rental 
provides authorization for the owner to rent to the public the original and 
copies of computer programs, cinematographic work, and works embodied in 
phonograms. The right of communication to the public includes the right to 
authorize any communication to the public, regardless of it being wired or 
not, to allow the public access to the work from any place at any time, such as 
on-demand and interactive services. 

Consistent with the Berne Convention, the duration of these rights must be 
protected for at least 50 years for any work. The treaty also required the sig- 
natories to “provide legal remedies against the circumvention of technological 


measures (e.g., encryption) used by authors in connection with the exercise 
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of their rights, and against the removal or altering of information, such cer- 
tain data that identify works or their authors, necessary for the management 
(e.g., licensing, collecting and distribution of royalties) of their rights (‘rights 
management information’)” (WIPO, 2021d). The WCT was implemented in 
the United States via the passage of the Digital Millennium Copyright Act 
(DMCA) and in the European Union (EU) by Decision 2000/278/EC, more 
specifically Directive 91/250/EC (covering software copyright protection), 
Directive 96/9/EC (database copyright protection), and Directive 2001/29/ 


EC (prohibition of circumventing devices). 


US Legislation in the 1990s on Intellectual 
Property Theft 


Media conglomerates began to pressure the US Congress in the 1990s to change 
existing copyright laws and increase protections for intellectual property. Their 
efforts led to the creation of several laws including the No Electronic Theft 
(NET) Act of 1997, which increased the penalties for the duplication of cop- 
yrighted materials (Brenner, 2011). Specifically, this law revised the language 
of the copyright act to recognize infringement when an individual receives or 
expects to receive a copyrighted work, including through electronic means, 
regardless of whether they receive commercial or private financial gain. Until 
this point, criminal infringement had to involve some sort of economic advan- 
tage. Thus, the expected receipt of uploaded and/or downloaded copyrighted 
materials online was made illegal, making it possible to pursue individuals who 
acquired pirated materials through file sharing rather than paying for these items 
(Brenner, 2011). Additionally, these revisions introduced sanctions for the 
reproduction or distribution of one or more copies of “phonorecords,” making 
it possible to legally pursue music piracy. Finally, the act increased the penalties 
for piracy to up to five years in prison and $250,000 in fines and increased the 
statutory damages that copyright holders could receive. 

Shortly after the adoption of the NET act, the US Congress also approved 
the DMCA in 1998 (Brenner, 2011). This law was designed to directly affect 
media piracy online through further revisions to the Copyright Act. Specifi- 
cally, this law extended protection to various music and performances that have 
been recorded in some fashion. The second section under this title added sec- 
tion 1201 to the Copyright Act, making it illegal to circumvent any protective 
technologies placed on copyrighted works, and section 1202 making it illegal 


to tamper with copyright management software or protections (Brenner, 2011). 
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While this law was intended to apply to computer software, it can be extended 
to DVDs and music with protections on the disc that provide a modicum of 
protection from infringement or copy. Criminal sanctions for these behaviors 
were also added under section 1204 of the Copyright Act. 

Title I of the DMCA is titled the Online Copyright Infringement Liability Lim- 
itation Act, which gives extended protections to ISPs against copyright infringe- 
ment liability (Brenner, 2011). In order to qualify for these protections, ISPs 
must block access to infringing materials or remove them from their systems 
once a complaint is received from a copyright holder or their agent. This Title 
also enables copyright holders to subpoena ISPs for the IP addresses, names, and 
home addresses of customers who have engaged in the distribution of copy- 
righted materials (Brenner, 2011). These changes enabled copyright holders to 
pursue civil or criminal suits against those sharing pirated materials with others, 
rather than the services making it possible to engage in file sharing overall. 


European Directives 


While US laws may seem particularly punitive, European legislation is equally 
punitive in some cases. For instance, the EU also has a series of directives 
designed to protect intellectual property in various forms. European Directive 
91/250/EEC/2009/24/EC provides legal protection for computer programs 
and harmonized copyright protection across the EU. This Directive was first 
implemented in 1991 and afforded copyright protection to computer programs 
in the same way as literary works, like books or poems. The Directive also gives 
the copyright owner the right to temporary or permanent copying of the pro- 
gram, any translations of the program, or the right to distribute it by any means. 
The life of the copyright extends for the lifetime of the software creator plus 
50 years, though it has been extended to 70 years through a subsequent directive 
in 2009. This Directive also provides the person purchasing software the right to 
back up the software for their personal use, though they must have a license for 
the program itself. Similar protections are also afforded to databases of distinct 
information under Directive 96/9/EC. 

Additionally, European Directive 2001/29/EC, or the Copyright Direc- 
tive, establishes guidelines concerning the adequate legal protection of copy- 
righted materials through technological means. This Directive defines rights to 
copyright holders, including the right to reproduce their materials, and make 
them available to the public through publication and transmission of products 


over the Internet, including music, media, and software. This Directive also 
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requires all Member States to provide legal protections against attempts to cir- 
cumvent technologies that prevent copying of intellectual property and data- 
bases. Additionally, Member States must provide protection against products 
and services designed to circumvent protective measures on intellectual prop- 
erty for illegal purposes or limited commercial goals. As a result of this language, 
this Directive is more stringent than the US DMCA. 


Additional US Legislation Protecting Trademarks 
and Patents 


There are two additional pieces of US legislation that can be used to affect the 
illegal acquisition or use of intellectual property protected by trademarks or 
patents. The Lanham (Trademark) Act (15 U.S.C. 1127), created in 1946, 
introduced legal protections for trademarked products by making it illegal to use 
counterfeit trademarks on a product or use language suggesting that a product 
is associated with an existing trademark (Kerr, 2018). The intent of the law was 
to minimize any confusion consumers may have when viewing trademarks on 
products. For instance, a company could utilize similar imagery or language in 
their product branding and attempt to confuse consumers into thinking they are 
somehow related to a more famous trademarked brand’s products (Kerr, 2018). 
Such actions could also drain a trademark holder of its share of a product market 
because competitors are impugning or harming their famous trademark. 

There are two conditions to this law. First, the trademark must be in use in 
commercial settings. Second, it must be distinctive so as to be readily associated 
with a specific product in the public eye (Kerr, 2018). This law provides civil 
options for the trademark holder, including ex parte seizure of all the goods 
used by the offender to produce materials. In addition, trademark holders are 
entitled to have their attorney fees paid by the offender, as well as receive eco- 
nomic damages including all profits made by the offender or an amount equal 
to three times the overall harms the holder experienced. 

Additionally, the Lanham Act led to the creation of the Trademark Coun- 
terfeiting Act of 1984 as a means to provide criminal penalties for unauthor- 
ized use of, or creation of, counterfeit trademarks (Kerr, 2018). Specifically, this 
law makes it illegal to sell or attempt to sell a product with a counterfeit mark, 
which was defined as: 


a spurious mark and spurious designations (1) used in connection with traffick- 
ing in goods or services (2) identical with, or substantially indistinguishable 
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from, a mark registered for those goods and services on the United States Pat- 
ent and Trademark Office’s Principal Register (whether or not the defendant 
knew the mark was registered) and in use and (3) the use of which is likely 
to deceive, confuse, or cause mistake on the part of the consuming public. 


As a result, attempting to sell a product that knowingly featured labels, branding, 
or tags that resemble an existing trademark became illegal through this law. The 
penalty for a first offense includes incarceration of up to ten years, as well as a 
fine of between $2 million for individuals and $5 million for corporate offenders 
(Kerr, 2018). Repeat offenders could be imprisoned for up to 20 years and pay 
a fine of $5 million, while corporations could pay up to $15 million. Addi- 
tionally, individuals who produce counterfeit medications or pharmaceuticals 
would receive the maximum penalty under the statute. 

Second, the Economic Espionage Act of 1996 criminalized the theft or 
misappropriation of trade secrets on behalf of another party (18 U.S.C. 1831) 
or a foreign power (18 U.S.C., 1832). Violations where the party is accused of 
knowingly stealing secrets, or intending to do so in order to aid a nation-state, 
have criminal penalties of as much as 15 years in prison and up to $500,000 per 
offense for individuals. Companies that engage in such behaviors can be fined 
up to $10 million (Kerr, 2018). 

Should an individual acquire trade secrets involving products that are avail- 
able in domestic or foreign commercial markets to harm the secret holder, 
they could be imprisoned for up to ten years. Organizations or companies that 
engage in such behaviors can be fined up to $5 million. Additionally, this law 
allows the government to seize physical assets related to the offense and all prof- 
its made by the offenders, and pursue civil proceedings on its own behalf to 
seek damages against the parties involved. This act was amended through the 
Defend Trade Secrets Act (DTSA) of 2016 to allow trade secret holders to 
sue offenders in federal court (Goldman, 2016). Additionally, the DTSA allows 
companies to engage in the seizure of materials related to the stolen secrets in 
the defendant’s possession. This process can occur ex parte, meaning without 
notice to the defendant. 

Similar provisions are available at the state level in the United States through 
the Uniform Trade Secrets Act, or UTSA (Kerr, 2018). This act was initially 
produced in 1979 as a means to harmonize the ways that trade secrets could be 
handled across all the states. It was later amended in 1985. Until this time, each 


state had taken its own approach to the theft of trade secrets, leading to discrep- 


ancies in enforcement, particularly for companies that had locations in multiple 
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states (Kerr, 2018). This Act essentially created consistent language regarding 
the ways that a secret may be criminally obtained and misused (Kerr, 2018). 
First, the act provided language related to the ways that the theft occurred, 
whether through physical or electronic means. Additionally, the act provided 
opportunities for the aggrieved party to seek an injunction against any further 
actions by the defendant on the basis that it may cause further harm to the secret 
holder. Additionally, the Act allows victims to seek economic damages and 
receive attorneys’ fees from the defendant in the case (Kerr, 2018). As of today, 
48 states have adopted this legislation, excluding New York and North Car- 
olina, as well as the District of Columbia, the Virgin Islands and Puerto Rico. 


The Law Enforcement and Industry Response 


Though there are myriad laws designed to protect intellectual property, there 
are relatively few law enforcement agencies that pursue cases against those who 
engage in either piracy or intellectual property crimes. For instance, the United 
States removed the power to prosecute copyright infringement cases from state 
courts in 1976 with the introduction of the revised Copyright Act of 1976 
(Brenner, 2011). As a result, the Federal Bureau of Investigation (FBI) 
tends to prosecute active investigations involving intellectual property rights 
violations (Federal Bureau of Investigation [FBI], 2020). Not only has the FBI 
actively disrupted piracy groups (Nhan, 2013), but they now also respond to 
offenses that affect trade secrets and counterfeiting that affect the public’s health 
and safety. In particular, the FBI now operates an Intellectual Property 
Theft/Piracy group that engages in criminal investigations involving counter- 
feit pharmaceuticals, auto parts, electronics, and other equipment that could 
cause harm if it fails (Federal Bureau of Investigation [FBI], 2020). 


For more on the FBI and its enforcement of intellectual prop- 
erty theft and piracy, go online to: https://www.tbi.gov/investigate/ 
white-collar-crime/piracy-ip-theft 


The FBI also coordinates responses with the Department of Homeland Secu- 
rity through its Global Trade Investigations Division (NIPRCC, 2020). 
This division breaks into three structures, the first of which is the National 
Intellectual Property Rights Coordination Center (NIPRCC), which 


is designed to coordinate the response to intellectual property crimes across 
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the US federal government, as well as work in concert with Interpol, Europol, 
and the Canadian and Mexican governments (NIPRCC, 2020). Second, the 
Counter-Proliferation Investigations (CPI) Unit focuses on keeping crim- 
inals, terrorists, and nation-states from obtaining sensitive military and techno- 
logical secrets and equipment, including weapons of mass destruction. Finally, 
the Export Enforcement Coordination Center (E2C2) acts as an intelli- 
gence collection and dissemination arm to improve the quantity of information 
available on issues associated with IP violations (NIPRCC, 2020). 

This structure is thought to be an essential way to produce an improvement 
in the way that investigations occur and increase the number of successful prose- 
cutions for violations. To that end, many different government agencies can play 
a role in helping to enforce IP law, including the Bureaus of Customs and 
Border Patrol (CBP), Immigration and Customs Enforcement (ICE), 
the United States Postal Inspection Service (USPIS), and the Food and 
Drug Administration (FDA) Office of Criminal Investigations (OCI) 
(NIPRCC, 2020). These agencies all investigate and seize goods that infringe 
upon existing intellectual property rights. This includes physical transportation 
of counterfeit products, as well as digital transfers of pirated goods, as individu- 
als who attempt to bring these materials from outside servers onto their home 
computer are technically importing pirated goods (Haberman, 2010). 

Similarly, the City of London Police operates the Police Intellectual Prop- 
erty Crime Unit (PIPCU) in order to investigate and handle various forms of 
intellectual property theft (City of London, 2021). This unit works as an inde- 
pendent group designed to handle serious forms of intellectual property crime, 
including counterfeit products and pirated materials on and offline. It operates 
with the National Crime Agency (NCA) (see Chapter 3), various international 
enforcement, and industry agencies and serves as a hub for investigations to 
disrupt organized piracy and fraud. The PIPCU also develops strategies to deter 
and reduce the sale of counterfeit goods broadly (City of London, 2021). 

One of the greatest challenges law enforcement agencies face in dealing with 
intellectual property laws is the fact that it is exceedingly difficult for intellectual 
property owners to identify when and how their materials are shared illegally. 
Copyright holders must scour sites across the globe in order to locate distribu- 
tion networks and participants. As a consequence, industry groups play a more 
prominent role in the enforcement of intellectual property rights. They manage 
and promote the interests of major corporations and copyright holders within 


their country, and internationally as well. For instance, the Recording Indus- 


try Association of America (RIAA) is a trade organization that supports the 
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recording industry and those businesses that create, manufacture, or distribute 
legally sold and recorded music within the United States. The group was 
founded in 1952, helped define standards related to music production, and is a 
broker for the collective rights management of sound recordings. In fact, its 
stated goals are to (1) protect intellectual property rights and the First Amend- 
ment rights of artists; (2) perform research about the music industry; and 
(3) monitor and review relevant laws, regulations, and policies. Currently the 
RIAA represents over 1,600 recording companies and other industries, such as 
Sony Music Entertainment and Warner Music Group (Brenner, 2011). 


For more information on the various industry bodies protecting 
intellectual property, go online to: 


www.iprcenter.gov 


There are many other groups, such as the Motion Picture Association of 
America (MPAA), that operate to protect the intellectual property of their art- 
ists and creative producers. In the United Kingdom, the Federation Against 
Copyright Theft (FACT) is the primary trade organization dedicated to the 
protection and management of intellectual property, notably those of film and 
television producers. The group was established in 1983 and is actively engaged 
with law enforcement to combat piracy. For instance, FACT regularly works 
with the UK police to take down piracy websites and sue groups engaged in 
the distribution or facilitation of digital piracy (FACT, 2013). They also work 
in conjunction with the Australian FACT (AFACT), which targets pirates 
in the Australia and Oceania generally (AFACT, 2013). Similarly, the Indian 
Music Industry (IMI) represents recording industry distributors and producers 
across the nation (IMI, 2016). 

All of these entities work in concert to pursue and protect their economic 
and intellectual interests. This is a substantive challenge in the current inter- 
national landscape as the laws of one country governing intellectual property 
may be entirely different than those of another nation. Consider TPB, the 
aforementioned group central in the distribution of torrent files, which was 
founded in Sweden in 2003. Though the members assumed they would be 
safe from law enforcement efforts, several of their homes were raided and 
they were prosecuted by Swedish and US law enforcement for facilitating the 
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distribution of pirated materials. In an attempt to avoid future incidents, the 
group attempted to purchase Sealand, a micro-island off the coast of England. 
The group raised $25,000 in donations to facilitate this endeavor, operating 
under the assumption that they could turn the island into a safe haven for 
pirated materials. This attempt was unsuccessful, as the government of Sealand 
felt that the group was only going to violate international laws. Their efforts, 
however, demonstrate the extent to which piracy groups are organizing and 
attempting to avoid legal efforts. 

The recording industry also pursues civil suits against various individuals 
and businesses for their role in the facilitation of piracy. For instance, the music 
industry sued the file-sharing service Napster over their role in the distribution 
of pirated materials, which led to an out of court settlement and the shuttering 
of Napster as a free service. The recording industry also began to sue individ- 
ual pirates for their downloading behaviors, which often involved hundreds 
of thousands of dollars in fines against the pirates. This tactic, however, has 
been largely abandoned in favor of tracking file-sharing programs to detect tor- 
rent seeders. In turn, they work with ISPs to send cease and desist letters in 
order to help slow down the volume of pirated materials traded online. In fact, 
the RIAA and FACT began to distribute letters to Internet users who were 
thought to have engaged in illegal file sharing to demand payment in settlement 
for their copyright violations (Nhan, 2013). This tactic was thought to be a way 
to directly reduce the legal costs these entities incurred as a result of pursuing 
settlements against file sharing. 

Other nations have pursued options to directly limit individuals’ access to 
pirated content online. For instance, India began to allow ISPs to block access 
to websites where individuals could acquire pirated media beginning in 2011 
(ONI, 2012). The blocks were often selective and developed on the basis of 
so-called John Doe orders, where an entity could claim that unknown indi- 
viduals would cause harm to their intellectual property or copyright (Anwer, 
2016). The identification of sites was also questionable as they were developed 
by attorneys working for industry groups such as the IMI. As a result, entire sites 
would be blocked, not just a single URL where content could be identified. 
They were not also enforced across all ISPs causing gaps in enforcement. 

In 2012, the Madras High Court ordered that only specific URLs could be 
blocked and not entire web sites in an attempt to minimize free use of the Inter- 
net by citizens. This was challenged, however, by a 2014 request from Sony 


Entertainment which ordered the court to allow fully blocking of various file 


sharing and hosting sites that could enable the distribution of pirated material. 
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The court ruled in favor of Sony and eventually allowed 219 sites to be blocked 
entirely. In 2015, the IMI group was able to successfully argue that ISPs across 
the nation block access to sites that enable media piracy (Collier, 2015). The 
Delhi High Court instructed all of the ISPs in the nation to block users from 
accessing 104 different websites identified by the IMI as a source for pirated 
content (Collier, 2015). If an individual attempted to access such a site via their 


web browser, they would see the following message: 


This URL has been blocked under the instructions of the Competent Gov- 
ernment Authority or in compliance with the orders of a Court of competent 
jurisdiction. Viewing, downloading, exhibiting or duplicating an illicit copy 
of the contents under this URL is punishable as an offence under the laws of 
India, including but not limited to under Sections 63, 63-A, 65 and 65-A of 
the Copyright Act, 1957 which prescribe imprisonment for 3 years and also 
fine of up to Rs. 3,00,000/-. Any person aggrieved by any such blocking of 
this URL may contact at urlblock [at] tatacommunications [dot] com who 
will, within 48 hours, provide you the details of relevant proceedings under 
which you can approach the relevant High Court or Authority for redressal 


of your grievance 


There has been substantive criticism of this strategy across India for numerous 
reasons. 

Specifically, the basis for blocking may include something as simple as the 
appearance of the name of a piece of copyrighted material in the URL (Anwer, 
2016). In the case of full site blocks, the list could extend beyond traditional ille- 
gal file sharing sites like TPB and include sites like Google. Should an individual 
receive an alert message that content has been blocked due to potential pirated 
material, it may not be because they were actually attempting to access illegal 
content. Telling the person that they could be arrested may be useful infor- 
mation but is also a relatively empty threat due to the difficulty of prosecuting 
the individual (Anwer, 2016). Furthermore, a person could easily use proxy 
services, such as Tor, in order to mask their physical location and gain access 
to pirated content. Thus, blocking content from Internet users is a somewhat 
questionable tactic to affect piracy rates. See Box 5.4 for more details. 

The recording and media industries have also employed unique extralegal 
attempts to affect piracy networks. For instance, some private companies have 
been hired to disrupt file-sharing processes by “poisoning” torrent files to either 
corrupt content, identify the downloaders, or disrupt P2P networks generally 
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Box 5.4 Digital Piracy in India 


Torrent Downloads: Fiasco Over Three-Year Jail Term Shows 
Absurdity of India’s John Doe Orders 


http://indiatoday.intoday.in/technology/story/the-3-years-jail-fiasco- 
for-torrents-shows-absurdity-of-indias-john-doe-orders/1/745886.html 


So, can you land up in jail for viewing a torrent site in India or not? 
Yesterday, IndiaToday. In reported that you may get a jail term as well 
as may have to pay a fine of Rs 3,000,000 if you visit a blocked URL, 
including a torrent site. Today, you must have seen reports that no, 


you won't be jailed just because you visit a torrent site ... 


This article provides an overview of the issues present in India’s decision 
to block pirated content, and the questionable legal grounds on which 


potential offenders may stand. 


(Kresten, 2012). Some of the more common methods involve attempting to 
share a corrupted version of a piece of music or media to deter users from 
downloading the file or making it more difficult to identify the actual content. 
Alternatively, some companies such as MediaDefender will attempt to share a 
file that attempts to download content from nonexistent peers or false sites in 
order to deter offenders (Kresten, 2012). 

More extreme measures have been employed by various companies in order 
to disrupt P2P sharing groups. In 2010, multiple Indian film studies hired the 
company Aiplex Software to engage in DDoS attacks against websites like TPB 
that would not respond to takedown notices to remove pirated movies they 
produced (Whitney, 2010). These tactics were largely ineffectual at disrupting 
piracy networks and actually led to a backlash by members of both the piracy 
and hacker subculture (Whitney, 2010). Members of the group Anonymous 
engaged in a number of Denial of Service attacks against recording artists, com- 
panies, and the RIAA website in order to protest their efforts to stop piracy 
(Whitney, 2010). The attack, referred to as Operation Payback, effectively 
knocked critical websites offline and slowed email traffic, making it difficult for 
these groups to engage in regular commerce (Nhan, 2013). As a result, there 
has been a reduction in the use of these extralegal methods by the recording 


industry to avoid further embarrassment. 
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Summary 


Taken as a whole, the problem of piracy and intellectual property theft is 
extremely complicated. Individuals interested in obtaining copyright-protected 
materials without paying for them have had a variety of ways to acquire these 
goods, though it has become increasingly easy to acquire pirated materials over 
the last two decades. The emergence of the Internet and digital media has made 
it easy for individuals to share media, though pirates have subverted these tech- 
nologies to share copyrighted files. Additionally, technological innovations have 
made it easier for individuals, corporations, and nation-states to engage in the 
theft of sensitive information and trade secrets that can severely impact the eco- 
nomic competitiveness of another nation. 

As a consequence, it is extremely challenging to affect the rates of these 
offenses through traditional measures such as lawsuits or arrests. As copyright 
holders continuously adapt legal strategies to deter pirates, the piracy subculture 
is increasingly vocal about their right to have access to digital media of all sorts. 
Similarly, nation states have become even more adept at surreptitiously gaining 
access to sensitive information to reduce their own investments and labor to 
compete in open markets. These tensions cannot be easily solved, especially 
as technologies that increasingly provide access to digital materials, such as the 
Kindle, rise in popularity. Therefore, the criminal justice response to intellectual 


property violations will continue to evolve over the next decade. 
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Discussion Questions 


1. What are your thoughts on digital piracy? Do you think there is a victim 
involved in intellectual property theft? 

2. Consider how the evolution in technology has influenced how you 
watch movies and listen to music. Think about how it must have been to 
listen to music on vinyl records or watch movies on tapes. Would hold- 
ing a physical object, such as a record or cassette tape, affect your views 


on digital piracy? 


OQ 


. How different is digital piracy from traditional theft? 


aN 


. Have you considered digital piracy as being intellectual property theft 
before reading this chapter? 


on 


. Considering that hackers are always one step ahead of the cybersecurity 


industry, how should private companies effectively protect their intellec- 
tual property? 
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Chapter Goals 


e Understand the definitions of fraud and identity theft 

e Identify how and why fraudsters have adapted to online environments 
e Explain the various forms of email-based fraud currently circulating 

© Know the laws pertaining to fraud and cyber-based theft 

e Recognize the agencies responsible for the investigation of fraud 


Introduction 


When many people discuss the benefits of computer technology and the Inter- 
net, they may identify the ease with which these resources allow us to shop and 
manage our personal finances. Consumers can now acquire virtually any item 
from anywhere in the world through major online retailers, like Amazon, or 
directly from other consumers via eBay and craigslist. In the United States, the 
total estimated sales from online retailers in 2021 was $870.8 billion (U.S. Depart- 
ment of Commerce, 2022). With the rise of COVID-19 infections around the 
world, 41 percent of respondents in a global survey indicated they shopped daily 
or weekly with their mobile or smartphone as a tool to shop in light of limited 
physical shopping options, compared with 12 percent five years ago (PwC, 
2021). Much of this expansion stems from the belief that consumers can shop 
safely, save money, and actively research products and price points by purchasing 
goods through online retailers (Wilson, 2011). At the same time, consumers 
often increase the size of their orders and spend more to get the benefit of free 
shipping (Mintel, 2015). Thus, there has been a significant increase in the use of 
websites and online auction houses to identify goods and services at lower price 


points than are otherwise available in bricks-and-mortar stores. 


For more information on consumer shopping trends, go online to: 
https://www.pwe.com/gx/en/industries/consumer-markets/consumer- 
insights-survey html 


Consumers also depend on the safety and security of online retailers to 
manage their financial data. Services like Amazon and iTunes store credit or 


debit card information on file so that customers can pay for an item through 
a single click in order to minimize the processing time required to pay for 
a product. Others use third-party payment systems like PayPal to send and 
receive payments for services rendered. While customers do not report con- 
sistent confidence in retailers’ ability to manage their data, they are willing 
to forgive any breaches of their personal information if the company takes 
steps to mitigate threats if the information is lost (Narula et al., 2014). As a 
result, web-based financial transactions have become commonplace in the 
modern world. 

The ability to access and buy goods anywhere at any time represents a rev- 
olution in commerce. The benefits of these technological achievements, how- 
ever, are balanced by the increasing ease with which our personal information 
can be compromised. The paperless nature of many transactions means that we 
must now put our trust in companies to maintain the confidential nature of our 
financial data from hackers and data thieves. At the same time, consumers have 
to be vigilant against deceptive advertisements for products that are either too 
inexpensive or lucrative to miss. 

In fact, one of the most commonly reported forms of cybercrime are forms 
of cyber-deception and theft, otherwise known as fraud. Though there are 
many definitions for fraud, one of the most commonly accepted involves the 
criminal acquisition of money or property from victims through the use of 
deception or cheating (Button & Cross, 2017). Various forms of fraud existed 
prior to the Internet and required some interaction between the victim and the 
offender, either through face-to-face meetings (Kitchens, 1993; Knutson, 
1996) or telephone-based exchanges (Stevenson, 1998). As technology, such as 
email and web pages, became more popular, fraudsters began to adapt their 
schemes to suit online environments where less direct interaction with victims 
was necessary to draw in prospective targets. In fact, some forms of fraud 
require virtually no interaction with a victim, as criminals can now compro- 
mise databases of sensitive information in order to steal identities or hijack 
payment providers in order to illegally transfer funds (Ayyagari, 2020; Holt & 
Lampke, 2010; James, 2005). 


For more information on the role of hacks and fraudulent transac- 
tions using the international SWIFT transaction system, go online 
to: https://www.newyorker.com/magazine/2021/04/26/the-incredible- 
rise-of-north-koreas-hacking-army 
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Box 6.1 Twitter Promoting a Phishing Site 


Twitter Promoted a Tweet that Steals Your Credit 
Card Details 


https://www.thedailybeast.com/twitter-promoted-a-tweet-that-steals- 


your-credit-card-details 


After providing some basic information, the site then asks for a user’s 
credit-card number, expiration date, security code, and billing address— 
likely enough information for a cybercriminal to then use those pay- 
ment details elsewhere. 


This article summarizes a recent problem with Twitter in which it was 
promoting a phishing site stealing personally identifiable information, such 


as credit card information and Twitter passwords. 


The near ubiquity of technology has now afforded fraudsters multi- 
ple opportunities to obtain money or information from victims for vari- 
ous purposes. Fraudsters can utilize email, texts, instant messaging systems, 
Facebook, Twitter, and online retailing sites to capitalize on unsuspecting 
victims. Some offenders have even begun to track the behavior of certain 
groups of individuals to obtain sensitive information. For instance, teens and 
young adults have begun a dangerous habit of posting pictures of new 
drivers’ licenses, passports, and credit/debit cards online to brag to friends 
(see Box 6.1 for details). In this case, the victims are providing their personally 
identifiable information (PII) to others freely, which can be used to engage 
in identity crimes with some ease. As a result, this presents an immediate and 
simple resource for fraud based solely on the poor personal security habits 
of users. 

This chapter will provide an overview of the most common forms of fraud 
employed online, most notably those sent via email to wide audiences (see 
Chapter 17 for detail on the evolution of fraud due to COVID-19). The util- 
ity of e-commerce sites for the mass acquisition and theft of sensitive personal 
information for identity crimes will also be considered in detail. We will also 
consider the difficulty law enforcement agencies face in attempting to combat 


these crimes, due in part to their international scope. 


Fraud and Computer-Mediated Communications 


When discussing online fraud, it is important to note that email and social media 
sites are a critical resource for fraudsters. Prior to the World Wide Web and 
Computer-Mediated Communications (CMCs), scammers had to depend on 
their ability to craft convincing stories, whether in person or through either 
phone-based or print scams in magazines and newspapers. These efforts required 
some degree of investment on the part of the scammer, as they had to develop 
and pay for an ad to be created or pay for bulk mail. In fact, some of the most 
well-known email scams today were previously run through handwritten letters 
in postal mail or faxes in the 1980s (United States Department of State, 1997). 
The creation and proliferation of email and social media was a boon to scam- 
mers, as they could use this medium in order to access millions of prospective 
victims simultaneously for virtually no cost (Wall, 2004). The use of email is ubiq- 
uitous; many people have multiple accounts at their disposal for different purposes. 
Email is extremely simple to use, requires virtually no cost for users or senders, and 
allows the distribution of images, text, web links, and attachments. Similarly, indi- 
viduals can hide behind various false profiles made on social media sites at no-cost 
using various content sourced from legitimate websites and user profiles. This ena- 
bles a scammer to create convincing messages using branded, well-known images 
that can fool even the most careful of users. For instance, if individuals wanted to 
create an email that appeared to come from a bank, they could visit that institu- 
tion’s website to download the official logos and language posted in order to craft a 
more realistic message. They can also utilize HTML redirects that would not oth- 
erwise be noticed by a casual web user in order to make a more believable message. 
In 2015, the Internet Crime Complaint Center (IC3) (2015) received 288,012 
complaints of various forms of Internet fraud. Approximately 44 percent of these 
complaints reported losses of $1 billion. Only four years later, the IC3 received 
467,361 complaints leading to losses of an estimated $3.5 billion (Internet Crime 
Complaint Center, 2020). Despite these estimates, it is unclear how many victims 


of various forms of online fraud report their experiences to law enforcement. 


For more information on fraud statistics, go online to: https://review42. 
com/resources/ecommerce-fraud-statistics/#:~:text=In%202018%2C%20 
the%20FTC%20registered ,reports%20%E2%80%93%20an%20increase% 
20from%202017.&text=%E2%80%93%20In%20fact%2C%20compared%20 
to%202010,internet™%20sales%20fraud%20in%202018 
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Identity Theft 


In addition to economic losses stemming from fraud, there is a tremendous threat 
posed by the loss of sensitive, personally identified information (PII), or the 
unique identifiers individuals use in their daily lives (Posey et al., 2017). A range of 
personal details are considered PII, including names and birthdates, as well as gov- 
ernment identification numbers assigned to you, like social security numbers, pass- 
port numbers, and drivers’ license numbers. This information is inherently valuable 
since it serves as the basis for obtaining credit cards, mortgages, loans, and govern- 
ment assistance (Federal Trade Commission, 2021a). Criminals who obtain this 
information can use it to fraudulently apply for such services. Additionally, they 
may use this information to create fraudulent identification in order to conceal their 


identities or evade law enforcement. 


For more information on the value of your PII, go online to: 


https://www.lifelock.org/value-personal-info-much-identity-worth/ 


The use of PII to engage in fraud or impersonation has led to a unique set 
of terms in the legal and academic fields: identity theft and fraud. These terms 
are often used interchangeably, though their use varies by place. In addition, 
there is no single definition for either term (Claugh, 2015; Copes & Vieraitis, 
2009). There are, however, some consistencies in their meaning. One of the 
most widely recognized and accepted definitions of identity theft in the 
United States involves the unlawful use or possession of a means of identifica- 
tion of another person with the intent to commit, aid, or abet illegal activity 
(Allison et al., 2005; Copes & Vieraitis, 2009). The Bureau of Justice Statistics 
(BJS) defines identity theft as “the attempted or successful misuse of an existing 
account, such as a debit or credit card account, the misuse of personal infor- 
mation to open a new account or the misuse of personal information for other 
fraudulent purposes, such as obtaining government benefits or providing false 
information to police during a crime or traffic stop” (Harrell, 2014). 

In Australia, India, and the United Kingdom, the term identity fraud is 
more commonly used to reference when someone else’s personal information 
is used by another individual in order to obtain money, credit, goods, or ser- 
vices, and can be used to enable other forms of fraud, such as mortgage fraud 
(Button & Cross, 2017). In fact, this creates an interesting dichotomy: posses- 
sion of PII without authorization from those persons is not illegal in the United 
Kingdom, though it is in the United States. 


Over the last decade, evidence suggests identity crimes are increasing expo- 
nentially and cause substantive economic harm. In the first six months of 2020, 
the US Federal Trade Commission (2020) received 571,181 complaints of 
identity theft, comprising 31 percent of all complaints received. The majority of 
these complaints involved some type of credit card fraud (34 percent), though 
many also reported misuse of loan or lease information, government docu- 
ments, and employment and tax related fraud. 

The number of identity theft complaints made to the Federal Trade Com- 
mission (FTC) pales in comparison to the estimates of identity theft victimiza- 
tion in the United States. The BJS estimated that 26 million US residents, or 
approximately 10 percent of the US population over the age of 16, were the 
victims of identity theft in 2016 (Harrell, 2019). The BJS found that the most 
common form of identity theft victimization was the unauthorized misuse or 
attempted misuse of an existing account experienced by 25.95 million individ- 
uals. More specifically, 13.42 million individuals experienced credit card fraud, 
11.95 million were victimized by bank account fraud, and 2.61 million were 
victims of other type of account fraud, such as telephone or insurance accounts 
(Harrell, 2019). 

It should be noted that some individuals may have experienced multiple 
forms of victimization. In many cases, the victims only found out when a 
financial institution contacted them (in 47.6 percent of the incidents) or when 
noticing fraudulent charges on their accounts (18.7 percent of incidents; Har- 
rell, 2019). Although two-thirds of identity theft victims reported direct finan- 
cial losses, the average losses were $850 which is higher than in previous years 
(Harrell, 2019). Additionally, only 7 percent of identity theft victims reported 
the incident to law enforcement. Rather, the majority (88 percent) reported the 
victimization to a credit card company or bank (Harrell, 2019). 

Similarly, estimates from the United Kingdom vary depending on whether 
the figures are based on reporting or survey estimates. There were 364,643 
identity fraud cases were reported in the United Kingdom in 2019, which was 
a 13 percent increase overall from 2018 (Cifas, 2021). It is thought that crimi- 
nals were able to acquire more than £1.2 billion in funds via fraud within the 
United Kingdom during the same year (UK Finance, 2019). Evidence from 
India suggests that there has been a substantive increase in fraudulent applications 
for financial products in 2019. One estimate suggests that 40 percent of Indian 
consumers experienced some form of identity theft in 2019 (Mehta, 2020). 

Given the scope of identity theft and fraud, it is important to note that 
criminals can obtain PII in two ways: low-tech and high-tech methods. Low-tech 
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identity theft can involve simple techniques such as taking personal informa- 
tion out of mailboxes and trash cans or during the commission of a robbery or 
burglary (Allison et al., 2005; Copes & Vieraitis, 2009). Offenders may also use 
high-tech methods via computers and/or the Internet to obtain personal infor- 
mation that is seemingly unprotected by the victim (Holt et al., 2016; Leukfeldt 
et al., 2017; Newman & Clarke, 2003). 

It is not clear how many identity crimes stem from low- or high-tech means 
due to the fact that victims may not be able to identify when or how their iden- 
tity was stolen (Harrell, 2014). Also, law enforcement and trade agencies are 
only beginning to measure the scope of identity crimes and capture this infor- 
mation effectively (Federal Trade Commission, 2021a; Harrell, 2014; National 
Crime Agency, 2021). It is possible that there may be an increase in the number 
of identity theft and fraud incidents stemming from high-tech means due to the 
ease with which individual offenders can compromise the PII of thousands of 
victims at once. For instance, businesses and financial institutions store sensitive 
customer information in massive electronic databases that can be accessed and 
compromised by hackers (Ayyagari, 2020; Chu et al., 2010; Holt & Lampke, 
2010; Newman & Clarke, 2003; Wall, 2007). 

The extent of hacks affecting consumer PII was demonstrated repeatedly 
throughout the last two decades, like the 2008 announcement that the US com- 
pany Heartland Payment Systems had been compromised by a small group of 
hackers. The company processed over 11 million credit and debit card transac- 
tions for over 250,000 businesses across the United States on a daily basis (Ver- 
ini, 2010). Thus, hackers targeted their systems and were able to infiltrate and 
install malware that would capture sensitive data in transit without triggering sys- 
tem security (Krebs, 2011). In turn, they were able to acquire information from 
130 million credit and debit cards processed by 100,000 businesses (Verini, 2010). 

These sorts of mass breaches are increasingly common. The compromise 
of the US retail giants Target and Neiman Marcus in late 2013 exposed more 
than 40 million credit and debit card accounts with prospective losses for con- 
sumers estimated to be in the millions (Higgins, 2014). Two online dating 
services, AdultFriendFinder and Ashley Madison, also experienced major data 
breaches in which the personal information of their clients were released. 
In the case of Ashley Madison, 37 million customers had their information 
released, including completed transactions, email addresses, and sexual prefer- 
ences (PandaLabs, 2015). 

The targets of breaches continue to evolve over time, with more and 
more reported annually. In fact, some estimate that 2019 was the worst year 


for data breaches on record due to the diverse number of companies and 
organizations affected worldwide (Henriquez, 2019). For instance, Face- 
book allowed over 540 million client records to be captured and accidentally 
exposed online by third-party application providers in 2019. Similarly, the 
financial service provider Capital One had more than 106 million customer 
records exposed in the same year (Henriquez, 2019). Additionally, over 
275 million Indian and 202 million Chinese job-seekers lost their data when 
an employment company called MongoDB was affected by breaches in these 
nations (Henriquez, 2019). 

While financial data is a tremendously attractive target for thieves and fraud- 
sters, there is also evidence that health-care data breaches are increasing. The 
amount of sensitive PII that could be acquired through an error or weakness in 
health-care data storage is tremendous (Heath, 2015). The information stored 
by health-care providers in the United States frequently includes social security 
information and other bits of identifying information that can be used for tra- 
ditional identity fraud but could also provide information to assist in medical 
and insurance fraud in the United States. In fact, the US medical service pro- 
vider Quest Diagnostics was affected by a breach in 2019 that led to the loss of 
24 million patient records thanks to hackers (Henriquez, 2019). 


Email-Based Scams 


In the context of online fraud, some of the most common schemes are perpe- 
trated based on initial contact via email. The interactive nature of email content 
coupled with the ability to access hundreds of thousands, if not millions, of users 
makes this an ideal medium for fraudsters. There are several fraud schemes that 
are sent to prospective victims every day. In the following sections, we discuss 
some of the most prevalent forms. This is not meant to be an exhaustive list, 
particularly as scams have begun to evolve in the time of the COVID-19 pan- 
demic (see Chapter 17 for more detail). Instead, our purpose is to expose you 
to the most common types of schemes you may encounter on a consistent basis. 


Nigerian Email Schemes 


In the realm of online fraud schemes, one of the most common and costly types 
is the advance fee email scheme. These are so named because the sender 
requests a small amount of money up front from the recipient in order to share 
a larger sum of money later (Gottschalk, 2010; Kigerl, 2020) (see Box 6.2 for an 
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Box 6.2 Nigerian Email Text 


Subject: MR SULEMAN BELLO 


FROM THE OFFICE MR SULEMAN BELLO 
AFRICAN DEVELOPMENT BANK (ADB). 
OUAGADOUGOU BURKINA FASO. 

WEST AFRICA. 


TRANSFER OF ($25,200.000.00) TWENTY FIVE MILLION, TWO 
HUNDREN THOUSAND DOLLARS. 


I AM SULEMAN BELLO, THE AUDITOR GENERAL OF AFRI- 
CAN DEVELOPMENT BANK HERE IN BURKINA FASO. 
DURING THE COURSE OF OUR AUDITING, I DISCOV- 
ERED A FLOATING FUND IN AN ACCOUNT OPENED IN 
THE BANK BY MR JOHN KOROVO AND AFTER GOING 
THROUGH SOME OLD FILES IN THE RECORDS I DIS- 
COVERED THAT THE OWNER OF THE ACCOUNT DIED 
IN THE (BEIRUT-BOUND CHARTER JET) PLANE CRASH 
ON THE 25TH DECEMBER 2003 IN COTONOU (REPUBLIC 
OF BENIN). 

AND NOBODY HAS OPERATED ON THIS ACCOUNT 
AGAIN, THE OWNER OF THIS ACCOUNT IS MR JOHN KOR- 
OVO A FOREIGNER, AND A TRADER WHO TRADE ON 
GOLD AND MINING, HE DIED, SINCE 2003 AND NO OTHER 
PERSON KNOWS ABOUT THIS ACCOUNT OR ANY THING 
CONCERNING IT, THE ACCOUNT HAS NO OTHER BENEFI- 
CIARY AND MY INVESTIGATION PROVED TO ME AS WELL 
THAT MR JOHN KOROVO DIE ALONG WITH HIS TIRED 
FAMILY. THE AMOUNT INVOLVED IS (USD 25.2 M) TWEN- 
TY-FIVE MILLION, TWO HUNDRED THOUSAND UNITED 
STATES DOLLARS ONLY, IAM CONTACTING YOU AS A FOR- 
EIGNER BECAUSE THIS MONEY CAN NOT BE APPROVED TO 
A LOCAL PERSON HERE, BUT CAN ONLY BE APPROVED TO 
ANY FOREIGNER WITH VALID INTERNATIONAL PASSPORT 


OR DRIVERS LICENSE AND FOREIGN ACCOUNT BECAUSE 
THE MONEY IS IN US DOLLARS AND THE FORMER OWNER 
OF THE ACCOUNT MR JOHN KOROVO IS A FOREIGNER 
TOO, AND THE MONEY CAN ONLY BE APPROVED INTO A 
FOREIGN ACCOUNT. 

I NEED YOUR STRONG ASSURANCE THAT YOU WILL 
NEVER, NEVER CHEAT ME AS SOON AS THIS FUND HIT 
INTO YOUR ACCOUNT. WITH MY INFLUENCE AND THE 
POSITION OF THE BANK OFFICIAL WE CAN TRANSFER 
THIS MONEY TO ANY FOREIGNER’S RELIABLE ACCOUNT 
WHICH YOU CAN PROVIDE WITH ASSURANCE THAT 
THIS MONEY WILL BE INTACT PENDING OUR PHYSICAL 
ARRIVAL IN YOUR COUNTRY FOR SHARING. THE BANK 
OFFICIAL WILL PROVE ALL DOCUMENTS OF TRANSAC- 
TION IMMEDIATELY FOR YOU TO RECEIVE THIS FUND 
LEAVING NO TRACE TO ANY PLACE AND TO BUILD 
CONFIDENCE. 

ON THE CONCLUSION OF THIS TRANSACTION YOU 
WILL BE ENTITLED TO 30% OF THE TOTAL SUM AS GRAT- 
IFICATION, WHILE 10% WILL BE SET ASIDE TO TAKE CARE 
OF THEEXPENSES THAT MAY ARISE DURING THE TIME OF 
TRANSFER AND ALSO TELEPHONE BILLS, WHILE 60% WILL 
BE FOR ME. 

SO ON THE INDICATION OF YOUR WILLINGNESS I WANT 
YOU TO FORWARD TO ME YOUR: FULL NAME: SEX: COM- 
PANY: IF ANY FULL CONTACT ADDRESS: PHONE: CELL: FAX: 
CITY: STATE:ZIP CODE COUNTRY: OCCUPATION AND ALL 
THE NECESSARYINFORMATION WILL BE SENT TO YOU ON 
THE ACCEPTANCE TO CHAMPION THIS TRANSACTION 
WITH ME. 


THANKS 
YOURS TRULY 
SULEMAN BELLO 


(Source: Email received by one of the authors) 
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example). These messages are more commonly referred to as “Nigerian” scams 
because the emails often come from individuals who claim to reside in a foreign 
country, particularly Nigeria or other African nations. Some also call them 419 
scams as a reference to the Nigerian legal statutes that are used to prosecute 
fraud (Edelson, 2003; Holt & Graves, 2007; Kigerl, 2020; Smith et al., 1999). 

There are several variations of this scam used on a regular basis to defraud 
individuals. One of the most common messages involves the sender making a 
claim that they are a wealthy heir to a deceased person who needs help moving 
inherited funds out of the country. In turn, they will give the recipient a portion 
of the sum in exchange for financial and legal assistance (Edelson, 2003; Holt 
& Graves, 2007). Another popular variation of the message involves the sender 
posing as a public official who has been able to skim funds from a business or 
government contract (Edelson, 2003). They are seeking a contact to help get 
the money they illegally obtained out of the account. A similar scheme takes the 
form of a banker or attorney trying to close a dead customer’s account using the 
potential victim as the deceased’s next of kin (Edelson, 2003). Other adaptations 
have been identified, including the sender being in legal trouble or involved in 
some form of illegal behavior. Thus, the sender attempts to ensnare the recipient 
in an illicit, yet ultimately false, transaction. 

Potential victims who receive and respond to one of these messages are 
defrauded through the use of two techniques. First, and most often, the respond- 
ent will contact the sender, and the sender will then ask for a small donation to 
get an account or fund out of a holding process. The sender will then continue 
to receive small payments from the victim because of complications in obtain- 
ing their account or additional legal fees that are needed to move the account 
(Anderson et al., 2013; Smith et al., 1999). The process continues until the vic- 
tim is no longer willing or is too embarrassed to pay additional money, which 
can cause a significant dollar loss for the victim. 

An additional proportion of scammers will avoid the long-term process in 
favor of more immediate fraud. They achieve this by requesting the recipient 
provide personal information, such as their name, address, employer, and bank 
account information. The sender may make this request under the guise of 
ensuring that the recipient is a sound and trustworthy associate (Edelson, 2003; 
King & Thomas, 2009). The information is, however, surreptitiously used to 
engage in identity theft and drain the victim’s accounts. 

Due to the millions of spam messages that are sent every day, it is unknown 
how many respondents are victimized each year. In addition, fraud victimiza- 


tion has one of the lowest reporting rates of any crime type (Button et al., 2014). 


Some victims may not report their experience to law enforcement agencies out 
of fear they will be prosecuted for their involvement in the potentially illegal 
fund transfers described in the initial message they received (Buchanan & Grant, 
2001). Many victims also do not report their fraud victimization to law enforce- 
ment or family members because of shame, embarrassment, and guilt for being 
deceived. In many cases, family members and law enforcement may blame the 
victim for their role in the victimization because of their decision-making and 
naivety. They therefore may feel double victimized by the societal and legal 
response and feel further isolated (Buchanan & Grant, 2001; Button et al., 2014; 
Cross, 2015; Cross & Blackshaw, 2015). 

As a result, advance fee fraud victims constitute a substantial dark figure of 
cybercrime. It is clear, however, that victims of advanced fee fraud email scams 
lose massive amounts of money each year. The Internet Crime Complaint 
Center (2020) received 14,607 complaints associated with advance fee fraud 
schemes, though complainants lost $100 million to these schemes in 2019. This 
averages to approximately $6,887 per victim, which is a substantial increase in 
losses from prior years. In addition, victims reporting potentially related scams 
like lottery and inheritance schemes lost $48.64 million in the same year (Inter- 
net Crime Complaint Center, 2020). Given that scammers obtain these funds 
slowly from multiple victims over the course of a few weeks, that may account 
for the high profits associated with these fraud schemes. Thus, it is to a scam- 
mer’s advantage to send out as many messages as possible in order to increase the 


likelihood of a response. 


For more information on advance fee frauds, go online to: https:// 


www.onlinebanktours.com/banks/moneyBasics/preview.php?id=83 


Phishing Emails 


The use of phishing messages is another insidious form of fraud perpetrated in 
part by email in which individuals attempt to obtain sensitive financial informa- 
tion from victims to engage in identity theft and fraud (James, 2005; Lastdrager, 
2014; Wall, 2007). In many cases, the scammer sends emails to thousands of 
potential victims at one time in order to cast their net as wide as possible to 
increase their odds of someone responding to the email. These messages often 
mimic legitimate communications from financial institutions and service provid- 


ers, such as PayPal or eBay. The message usually contains some of the branding 
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Box 6.3. Phishing Example 


From: service@amazon.com 


Subject: Update your Amazon.com account information 


Dear Customer, 

You have received this email because we have strong reason to believe 
that your Amazon account had been recently compromised. In order to 
prevent any fraudulent activity from occurring we are required to open an 
investigation into this matter. 

Your account is not suspended, but if in 36 hours after you receive this 
message your account is not confirmed we reserve the right to terminate 
your Amazon subscription. 

If you received this notice and you are not an authorized Amazon 
account holder, please be aware that it is in violation of Amazon policy to 
represent oneself as an Amazon user. Such action may also be in violation 
of local, national, and/or international law. 

Amazon is committed to assist law enforcement with any inquires 
related to attempts to misappropriate personal information with the intent 
to commit fraud or theft. 

Information will be provided at the request of law enforcement agen- 
cies to ensure that perpetrators are prosecuted to the full extent of the law. 

To confirm your identity with us click the link below: http:// 
www.amazon.com/exec/obidos/sign-in.html 

[this link actually leads to http://ysgrous.com/www.amazon.com/|] 

We apologize in advance for any inconvenience this may cause you 
and we would like to thank you for your cooperation as we review this 


matter. 


(Source: Email received by one of the authors) 


and language commonly used by that institution in an attempt to convince the 
recipient that the message is legitimate (see Box 6.3 for an example). The mes- 
sage usually suggests that a person’s account has been compromised, needs to be 
updated, or has some problem that must be corrected as soon as possible. The 
time-sensitive nature of the problem is commonly stressed to confuse or worry 


the prospective victim in order to ensure a rapid response. 


The email will also include web links that appear to connect to the appro- 
priate website so that the victim can immediately enter their login information 
for the affected account. Generally, however, the link redirects the user to a 
different site controlled by the scammer that utilizes collection tools to capture 
user data. Better fraudulent sites will also feature branding or logos from the 
institution to help further promote the legitimacy of the phishing email. Upon 
arriving at the site, individuals are prompted to enter sensitive information, 
such as their bank account number, username, password, or even in some cases 
Personal Identification Numbers (PINs) to validate their account. Upon 
entering the data, it is captured by the scammer for later use and may either 
redirect the victim back to the original website for the company or provide a 
page thanking them for their information. 

This type of fraud is actually quite old, dating back to the 1990s when ISPs 
billed users by the hour for access. Skilled hackers would try to capture the 
usernames and passwords of unsuspecting victims by posing as an ISP, especially 
America Online (AOL) due to its scope and penetration in the market. Fraud- 
sters would harvest known AOL email addresses and send messages claiming to 
need account updates or validation of user profiles. The mass mailing strategy 
was like fishing, in that they were hoping to hook victims through deceptive 
bait. The term “phishing” emerged as a corruption of the term akin to that of 
phreaking within the general argot of the hacker community. Unsuspecting 
victims who thought these messages to be legitimate would forward their infor- 
mation to the sender in the hopes of correcting their account. The fraudsters, 
however, would keep the accounts for their own use or trade the information 
with others for pirated software or other information. 

The success of phishing techniques led some to begin to target e-commerce 
and online banking sites as they became popular with larger segments of the 
population in the early 2000s. Hackers began to recognize the value in targeting 
these institutions, and some began to create sophisticated phishing kits that came 
preloaded with the images and branding of the most prominent global banks. 
These kits, combined with spam email lists, enabled hackers to readily steal 
financial data from thousands of unsuspecting users around the world. In fact, 
the Anti-Phishing Working Group (2020) tracked 749,335 unique phishing 
email campaigns in 2019 alone. These schemes most often targeted payment 
service providers and financial institutions (39.2 percent), followed by webmail 
service providers (30.8 percent). The Internet Crime Complaint Center (2020) 
also received 114,702 complaints of phishing and related scams, though victims 
reported $57.836 million in losses during 2019. These figures may rise as the 
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COVID-19 pandemic continues to affect the world (see Chapter 17). Thus, 
phishing is a global problem that cannot be understated, though the prevalence 


of phishing victimization in the general population is largely unknown. 


Romance Scams 


An additional email-based scams with similar elements to the scams discussed 
above are romance scams. Unlike other email scams, however, victims of 
romance schemes are not interested in economic gain but rather forming an 
emotional and romantic bond with another person (Buchanan & Whitty, 2014; 
Cross, 2015; Cross et al., 2018). The popularity of online dating sites and social 
media create a target-rich environment for scammers to contact a broad audi- 
ence who are either actively seeking or interested in a romantic partner. As 
such, scammers can manipulate these environments in order to create a virtual 
identity that will appear enticing to their potential victims (Buchanan & Whitty, 
2013; Cross, 2015). 

The typical scheme begins via an unsolicited contact sent via a dating profile 
or social media account where they attempt to garner a response from their 
target. The scammer creates fake profiles in various social media and dating sites 
using attractive pictures of men or women in order increase the likelihood a 
victim will respond. Additionally, many scammers indicate they are the United 
States or European citizens working abroad with no real relatives or family to 
help them cope with the distance. Their “loneliness” creates a potential bond- 
ing point with their target, and if a person responds to their messages, they will 
carry on protracted discussions with the recipient (Buchanan & Whitty, 2013; 
Cross, 2015). 

Careful scammers will ask a great deal of questions of their potential victims 
in an attempt to “get to know them,” while surreptitiously using the informa- 
tion to help adjust the scam to increase the likelihood of responses over time. 
The scammer will also indicate their romantic interests and profound love for 
the victim relatively soon, which may take the victim by surprise (Buchanan & 
Whitty, 2013; Cross, 2015). They may also get the victim’s address information 
and begin to send them gifts on and offline in an attempt to help cement their 
relationship and bond the scammer and victim. 

Once a relationship has been established, there are a range of ways the scam- 
mer may defraud the victim. All of these techniques are similar to the practices 
used in other email scams to acquire funds. In most cases, scammers will try 


to make arrangements with the victim to pay them a visit in person, so that 


they can consummate their love and enjoy each other’s company (Whitty & 
Buchanan, 2012). Some issue keeps them from traveling and they have insuffi- 
cient funds to get them out of their specific predicament. For instance, they may 
be unable to pay a hotel bill and will not be given back their passport until the 
debt is resolved. They may also claim to have been mugged or beaten, and they 
need funds to pay their hospital bill (Whitty & Buchanan, 2012). 

Victims who send funds are continually strung along for more money until 
such time as they realize they are being defrauded. Scammers may also ask the 
victim to help them by cashing checks on their behalf as they are unable to 
accept the payment for some reason. Others may ask the victim to accept goods 
on their behalf and reship them to another location as the company will not ship 
to their location (Cross, 2015). 

Regardless of the methods of the scammer, romance schemes are extremely 
harmful to victims. The prevalence and cost of victimization are unknown as 
many victims may feel too embarrassed or ashamed to report their experiences 
to law enforcement (Cross, 2015). In the United States, 19,473 victims of 
romance scams reported losing approximately $475 million in 2019 (Internet 
Crime Complaint Center, 2020). These losses averaged to over $24,393 per 
victim, making it the second-largest category of fraud as measured by victim loss 
(Internet Crime Complaint Center, 2020). 

A nationally representative survey of Great Britain in 2010 found that almost 
230,000 people had been scammed out of funds by romance schemes (Whitty 
& Buchanan, 2012). While this survey has not been replicated, evidence from 
other UK reporting agencies suggests victims lost more than £12.6 million 
across over 7,557 payments made to scammers in 2018, though only 1,400 total 
cases were reported (UK Finance, 2019). Similarly, the Australian Competi- 
tion and Consumer Commission found that romance frauds cost citizens over 
$28.6 million across almost 4,000 reported incidents in 2019 alone (ACCC, 
2020). These estimates do not, however, take into account the emotional hard- 
ships victims of romance schemes experience (see Box 6.4 for the experience 
of victims in their own words). Even if an individual does not experience any 
economic losses, they may feel substantive psychological hurt and a sense of 
rejection upon realizing that the scammer was not in love with them at all 
(Buchanan & Whitty, 2013; Cross, 2015). 

Victims of romance schemes may not fit into a particular demographic pro- 
file. There is a hypothesis that victims are more likely to be heterosexual women 
who are older (Whitty & Buchanan, 2012), though recent research found that 
both gay men and women were as likely to be victims as heterosexuals (Buchanan 
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Box 6.4 Understanding the Human Dimensions 
of Romance Scams 


Dr. Cassandra Cross, Senior Lecturer, School of Justice, Faculty 
of Law, Queensland University of Technology 


Techniques Used by Offenders to Target Victims 


“Frank” had recently lost his wife to a brain hemorrhage. He had started 
using various social networking websites to chat to women across the 
globe and in particular, started communicating with a woman in Ghana. 
During their conversations, Frank had shared details about himself and 
more importantly, details about his wife’s death. After a few months, Frank 
received a request for money from the brother of the woman he had been 
communicating with, after being advised she had been in a car crash and 
was suffering from the same illness that had taken his wife. 


... Then her brother calls me, sends me an email under her name and 
said she got hit by a car, her brain’s bleeding anyway, I just lost my wife 
with a brain hemorrhage, and they wanted $1000 for the doctor to 
operate, they won’t do anything unless you pay, so I sent them $1000 
[or] $1200, then it started... 

(Frank, 73 years) 


Frank was suspicious of the situation presented to him, but was willing to 
send the money on the off chance that the situation was legitimate and 
that this woman was sick. He had also been in phone contact with the 
alleged doctor who was treating her, which added to the plausibility of 
the situation. 


...She got hit by this car... I phoned the doctor and everything I 
phoned the doctor because I want to know. My wife had died from 
a brain hemorrhage you know and I'd spent two one hour sessions, 
probably a long time with two different neurosurgeons down there I 
wanted to give them my brain. [I said to them] why don’t you try this 
and [this], and as it turned out a lot of the things I suggested had been 
tried and don’t work. She’d had a massive internal bleed in the brain, 
you could see the scan it was just black... the doctor said if it’s on the 


perimeter on the edge of the brain, yeah they can drain the pressure off 
and fix it up and I thought you know, and that’s how they got me with 
her. $1000 wasn’t much, but I didn’t really believe it but I said maybe if 
it is going to happen and she is going to die I said for a thousand dollars 
they can have it you know... 

(Frank, 73 years) 


Frank’s situation illustrates the insidious way that offenders will manip- 
ulate a person’s emotions and circumstances to obtain financial benefits. 
It demonstrates the way that Frank was presented with a situation that 
involved multiple actors (the woman, her brother and the doctor) in order 
to increase the likelihood that he would consent to the request for money. 
The use of the same illness that had claimed his wife also reinforces the 
ways that offenders will specifically target victims to gain compliance to 
financial requests (Drew & Cross, 2013, p. 33). 


Impact of Romance Fraud on Victims 


Romance scam victims experience devastating effects as a result of the 
financial impact of fraud but also the loss of the relationship. For many, the 
relationship can be more difficult to grieve than the loss of money by itself. 

The severity of online fraud victimization was clearly evident in a 
small number of victims interviewed for Cross et al. (2016). As detailed 
below, the emotional and psychological impacts of online fraud vic- 
timization were so great for some that they had considered, or even 
attempted suicide. The below excerpts are all taken specifically from 
romance fraud victims. 


I have come close to ending my life, honestly, I still feel that way 


(interview 13). 


[At the time I reported the fraud] I said ‘As far as ’m concerned, I am 


ready to suicide’ (interview 34). 


I even tried to kill myself I was so depressed, because [of] not just the 
money but because of the shame. My family was very upset (inter- 


view 43). 
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I [was] sort of really despairing and about to commit suicide....I was 
desperate, I mean I was considering suicide. I was that distraught 
with what I’d actually done... [further in the interview] I was really 
despairing. I was, I saw this end for myself through suicide. And then I 
thought, ‘this is ridiculous. If I don’t say something to somebody, I’m 
going to do it [commit suicide]’ (interview 49). 


One woman, whose fraud victimization followed a number of other 
adverse life events, including a violent intimate partner relationship and 
the loss of her job, described taking steps towards ending her life: 


Participant: _I had literally torn up any personal things — letters, diaries, 
photos — so there would be no trace left. 

Interviewer: Of this [online fraud] incident? 

Participant: Of me....You just feel so stupid....[I felt] pretty useless 
really, that is what I kept thinking, a bit of a waste of space, 
that is what I kept thinking about myself. 

Interviewer: Did you ever think of suicide? 

Participant: | Yeah I did. I just shut down, but I would make sure my 
underwear was clean. It was just so bizarre, and there 
would be no trace of me left, I would just evaporate (inter- 
view 44). 

(Cross et al., 2016, pp. 28-29) 


Shame and Embarrassment in Disclosing Romance Fraud 


For many victims of romance fraud, embarrassment stemming from both 
using online dating services, and having been defrauded, combined to 
prevent them seeking support from loved ones. Many victims of romance 
fraud had either not disclosed to their family and friends that they were 
seeking romance online, or had provided only limited details about this. 


For example, one woman said 


I’ve got adolescent kids....They knew about it, they knew I was on a 
[dating] site....But they’re not real comfortable talking about it... [later 
in the interview] My kids were certainly okay about the fact that I was 
on the [dating] site but didn’t really want any sort of detail’ (interview 5). 


A male victim, who had sought out a relationship on an international 
dating website, described his reluctance to tell his family about being 
defrauded as follows: 


The stigma is twofold. One is to admit to your family that you have 
gone onto an international dating site, which is socially something 
which most Anglo-Saxon children would struggle with....It’s the 
whole stigma of being on a site that’s a problem with the mail order 
bride thing....The other thing is I got stung. That is two things there 
that you will emotionally not share (interview 4). 

(Cross et al., 2016, p. 61) 
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& Whitty, 2013). In addition, victims appear to have an idealistic worldview 
of romantic partners, placing them in high emotional and psychological regard 
while simultaneously ignoring their potential negative attributes (Buchanan & 
Whitty, 2013). These results are based on relatively limited research, demon- 
strating a need for continuing empirical analysis to better understand the risks 


associated with romance scam victimization. 


Business Email Compromise 


A final form of fraud that has emerged over the last few years combines 
multiple aspects of other email-based fraud schemes, as well as hacking and 
malware in some cases. This fraud is often called business email compro- 
mise (BEC), as it targets a range of businesses in order to move massive sums 
of money quickly under the guise of seemingly legitimate transactions (Mans- 
field-Devine, 2016). Unlike the messages noted in this chapter, the senders 
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do not utilize spam messaging in order to contact potential victims. Instead, 
they must take steps to carefully target a specific victim to create a convincing 
scenario that would increase the likelihood of a response (Mansfield-Devine, 
2016). The sender may also utilize tools to spoof or make an unrelated email 
account appear as a legitimate email address. This is essential to ensure that the 
request appears legitimate on the surface to be more convincing. This con- 
cept is sometimes called spear phishing, referring to the fact that the attacker 
is targeting a single entity within an organization rather than all employees 
(Burns et al., 2019). 

There are several forms of BEC, ranging from relatively simple to more 
complex based on the tools utilized to complete the scheme (Mansfield-Devine, 
2016; Trend Micro, 2021). Some of the most straightforward of these schemes 
involves a sender contacting a business under the guise of being a legitimate 
vendor or service provider with whom they conduct business. The sender will 
indicate that payment is due but must be made via a wire transfer to a different 
account than what is normally used. They may also pose as executives within 
the target organization to increase the perceived legitimacy of the request. The 
senders will often attempt to target accounts receivable/payable department 
email addresses so as to minimize the number of recipients within the organiza- 
tion and reduce the likelihood of detection. 

Mote sophisticated forms of BEC involve a fraudster actually compromis- 
ing existing email accounts within the target organization (Mansfield-Devine, 
2016; Trend Micro, 2021). If they can obtain an employee’s username and 
password for their email system, they will then use the account to send mes- 
sages to either the company’s accounting department or to those of their cli- 
ents in an attempt to receive payments for services rendered. There have also 
been documented incidents of fraudsters compromising high-level executive 
email accounts and then sending messages to human resources and accounting 
departments to request personal information of other employees and clients, 
including tax details and PI. The information is then used to file fraudulent 
tax returns and engage in different forms of fraud and theft (Mansfield-Devine, 
2016; Trend Micro, 2021). 

The various forms of BEC cause substantial economic harm to victims, with 
estimates suggesting there were over $1.7 billion in losses related to this fraud 
within only 23,775 reports the United States in 2019 alone (Internet Crime Com- 
plaint Center, 2020). Similar estimates from the Anti-Phishing Working Group 
(2020) estimated that scammers requested an average of $55,395 per request in 
the last three months of 2019 alone. In addition, the number of scams reported 


has increased consistently year over year across multiple reporting sources (Inter- 
net Crime Complaint Center, 2020; Trend Micro, 2019). The scams employed 
by senders are also evolving, with more sophisticated methods being employed 
over the last few years (Internet Crime Complaint Center, 2020). Additionally, 
the range of targeted organizations is changing, with more real estate and mort- 
gage companies being targeted (Trend Micro, 2018). As a result, there is a need to 
better understand these scams to reduce the likelihood of victimization generally. 


Data Breaches and Identity Crimes 


As ecommerce sites and social network use have increased the quantity of con- 
sumer information stored in large-scale databases that are connected to the 
Internet, hackers have shifted their energies to target these resources, espe- 
cially bank records, personal information, and other sensitive information (Holt 
et al., 2016; Leukfeldt et al., 2017; Newman & Clarke, 2003; Wall, 2007). This 
includes payment processing systems, which may be housed in larger financial 
institutions, or even point of sale terminals within brick and mortar stores. A 
hacker need only find a way to gain entry into the sensitive internal parts of 
a company or financial institution in order to get access to one of these data 
repositories. If successful, they will have access to hundreds of thousands, if not 
millions, of pieces of sensitive information that can be monetized in some way. 
For instance, they may be able to utilize credit card data for fraudulent transac- 
tions, or sell identity data to others to enable broad scale identity fraud and theft 
(see Box 6.5 for detail). 

The success of such compromises is evident in the fact that offenders regu- 
larly target institutions for mass exploitation (Ponemon Institute, 2021). These 
incidents are typically referred to as a data breach, as a large quantity of data is 
identified and then exfiltrated from an organization through illegal means by 
attackers. A data breach may occur as a result of various errors or deliberate 
attacks by insiders and outsiders. For instance, if an employee within an organ- 
ization leaves a laptop or hard drive containing sensitive information in a taxi 
or restaurant, the information may be acquired by others. Similarly, if sensitive 
information is inadvertently emailed through unencrypted means to others out- 
side of an organization, the data could be considered lost. Such incidents are 
often referred to as “human factor” errors by the Ponemon Institute, as the 
information is lost by virtue of human error. 

A wider range of hacks are the cause of data breaches, though they may stem 


from internal or external attackers. As noted in Chapter 3, insiders differ from 
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Box 6.5 Synthetic Identity Theft Stemming 
From Data Breaches 


Synthetic Identity Theft: The “Frankenstein” 
of Identity Crime 


https://www.idtheftcenter.org/synthetic-identity-theft-the-franken- 


stein-of-identity-crime/ 


One of the most baffling forms of identity theft and fraud is synthetic 
identity theft. This crime occurs when a would-be thief assembles an 
identity from stolen or assumed parts. 


This article provides an overview of the concept of synthetic identity theft 
driven in large part by the massive number of data breaches that have led 
to the loss of hundreds of millions of pieces of PII. The author explores the 
risk of so-called Frankenstein fraud and how it impacts victims. 


outsiders on the basis of their trusted position within an organization. Insiders 
may engage in different attack methods, such as the use of malware to delete sen- 
sitive information or release it through public means. At the same time, exter- 
nal attackers could masquerade as internal trusted actors through the use of 
fraudulently obtained user credentials. For instance, a major breach occurred 
in 2013 targeting the United States department store chain Target, which led 
to the loss of 40 million of customer credit and debit card records in less than 
30 days’ time (Krebs, 2014). The breach was performed by external hackers 
who first identified and phished a third-party service provider called Fazio 
Mechanical. The company provided heating and cooling maintenance for Tar- 
get stores and received payments for their services. Thus the attackers used 
Fazio’s established user credentials to access and interact with Target’s vendor 
payment portal online. 

Once the attackers had access to the internal Target network, they then 
acquired sensitive information from various parts of the retailer’s systems. For 
instance, customers who made purchases through the company’s website had their 
names, phone numbers, email, and mailing addresses lost in the breach. In addi- 
tion, the attackers placed malicious software on the point of sale terminals within 
certain stores, enabling them to acquire millions of credit and debit card numbers 
while the information was sent from the register to the payment processor (Krebs, 


2014). It is thought that the attackers may have been able to sell between 1 and 
3 million of the accounts they stole, potentially earning over $50 million in profits 
(see Chapter 12 for more on online markets; Krebs, 2014). The financial institu- 
tions who had to reissue and manage compromised card accounts, however, spent 
potentially $200 million to avoid further harm to their customers (Krebs, 2014). 
Thus, the economic harm caused by data breaches cannot be understated. 


Identity Theft and Fraud Laws 


In light of the myriad forms of fraud that can be perpetrated online, it is critical 
that the criminal justice system have various mechanisms that can be employed 
to pursue these offenders. Interestingly, the United States does not actually have 
any specific online federal fraud statutes. Instead, prosecutors use traditional mail 
(18 US.C. § 1341) and wire fraud (18 U.S.C. § 1343) statutes to prosecute Inter- 
net-based fraud. The primary difference between the mail and wire fraud statutes 
is simply whether the fraudulent activity occurred via traditional mail or teleph- 
ony. The wire fraud statute has more utility for prosecuting online fraud as the 
fraudulent communication occurred through the Internet. However, purchases, 
counterfeit goods, payments, and possibly correspondence related to online fraud 
may all be sent through traditional postal mail as well, which would allow prose- 
cutors to use the mail fraud statutes as well (Brenner, 2011). The penalties for both 
wire and mail fraud include a fine and up to 20 years in prison, with the possibility 
of up to 30 years if the fraud involved a financial institution. Those conspiring to 
commit online fraud can be penalized with a fine and imprisonment up to five 
years if the offense was a felony under the US’s conspiracy statute 18 U.S.C. § 371. 

There are several legislative mechanisms that have emerged, primarily at the fed- 
eral level, to punish fraud. The most pertinent laws in the United States are listed 
under the Identity Theft and Assumption Deterrence Act of 1998, which 
makes it a federal crime to possess, transfer, or use a means of identification of another 
person without authorization with the intent to commit or aid in the commission 
of illegal activity at the local, state, or federal level (Brenner, 2011). This includes a 
variety of specific acts outlined in Title 18 of the US Legal Code § 1028, including: 


1 Knowingly, and without authority, produce an identification document or 
supporting materials for identification documents, such as holograms or other 
images (a) (1) 

2 Knowingly transfer an identification document or materials with the knowl- 
edge that the item was stolen or produced without authority (a) (2) 
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3 Knowingly possess with the intent to use or transfer, five or more identifica- 
tion documents or materials (a) (3) 

4 Knowingly possess an identification document or materials with the intent to 
use the item to defraud (a) (4) 

5 Knowingly produce, transfer, or possess a document-making implement or 
authentication feature that will be used in the creation of a false identity 
document (a) (5) 

6 Knowingly possess an identification document or supporting materials of the 
United States that is stolen or produced without lawful authority (a) (6) 

7 Knowingly transfer, possess, or use a means of identification of another per- 
son without authorization with intent to engage in unlawful activity (a) (7) 

8 Knowingly traffic in false authentication materials for use in the creation of 
false identification. (a) (8) 


These activities could affect interstate or foreign commerce, as well as any mate- 
rials that are sent through the mail, such as personal identifications or passports. 
The punishments for identity crimes range from 5 to 15 years in prison, as well 
as fines and prospective forfeiture of goods and materials obtained while using 
an identity (Brenner, 2011). 

Under this law, an identification document is defined as “a document made 
or issued by or under the authority of the United States government ... with infor- 
mation concerning a particular individual, is of a type of intended, or commonly 
accepted for the purpose of identification of individuals” (USC 1028 d). This law 
also specifically outlaws the use of means of identification, which includes names, 
social security numbers, date of birth, drivers’ license or identification numbers, 
passport information, employer identification numbers, biometric data (such as fin- 
gerprints), unique electronic identification numbers, addresses, bank routing num- 
bers, or even the telecommunications identifying information of an access device, 
such as the IP address of a computer system (Brenner, 2011). Finally, this legislation 
made the FTC a clearinghouse for consumer information on identity-related crimes. 

The Identity Theft Penalty Enhancement Act of 2003 added two years 
to any prison sentence for individuals convicted of a felony who knowingly 
possessed, used, or transferred identity documents of another person (Brenner, 
2011). This act also added five years to the sentence received for identity theft 
convictions related to an act of violence or drug trafficking, and ten years if con- 
nected to international acts of terrorism. This specific enhancement is designed 
to further punish actors who may develop or create fictitious identities in sup- 
port of acts of terror. 


In addition, the Identity Theft Enforcement and Restitution Act of 
2.008 is important because of its impact on sentencing and the pursuit of iden- 
tity crimes (Brenner, 2011). Specifically, this act allows offenders to be ordered 
to pay restitution as a penalty to victims of identity theft. This statute also ena- 
bles more effective mechanisms to prosecute offenses unrelated to computer 
fraud that could otherwise be prosecuted under the Computer Fraud and Abuse 
Act. Additionally, it expands the ability for agencies to pursue computer fraud 
actors engaging in interstate or international offenses. Finally, this act imposes 
criminal and civil forfeitures of property used in the commission of computer 
fraud behaviors. 

A final piece of federal legislation to note is the Fair and Accurate Credit 
Transactions Act of 2003. This law provided multiple protections to help 
reduce the risk of identity theft and assist victims in repairing their credit in 
the event of identity theft (Brenner, 2011). This includes requiring businesses 
to remove customer credit card information (except the last four digits) from 
receipts to reduce the risk of victimization. The law also allowed consumers to 
obtain a free credit report every year from the major credit monitoring services 
to assist in the identification of fraudulent transactions or potential identity theft. 
Finally, the act provided mechanisms for consumers to place and receive alerts 
on their credit file to reduce the risk of fraudulent transactions. These steps are 
integral to protecting consumers from harm. 

Every US state has implemented laws regarding identity theft or imperson- 
ation of another person, whether through on or offline means (National Con- 
ference of State Legislatures, 2020a). Some choose to prosecute these offenses 
under existing computer hacking statutes, while others include separate lan- 
guage pertaining to computer fraud (e.g., Arkansas, Hawaii). A number of states 
have also outlawed computer theft, which may include forms of piracy or com- 
puter hardware theft (e.g., Colorado, Georgia, Idaho, Iowa, Minnesota, New 
Jersey, Pennsylvania, Rhode Island, Vermont, Virginia). Additionally, 29 states 
have established specific laws and regulations for victims of identity theft to 
receive restitution for their experiences (National Conference of State Legisla- 
tures, 2020a). 

The United States does not have a federal statute that covers how corpora- 
tions and agencies need to respond to all types of data breaches. Instead, specific 
statutes cover specific types of data breaches. For example, the Financial Mod- 
ernization Act of 1999, also known as the Gramm-Leach-Bliley Act, requires 
that banks and financial institutions need to have established written informa- 
tion security plans and data breach response programs, which normally should 
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include notifying customers of a data breach if one occurs, and to take appro- 
priate steps to ensure that third-party vendors area protecting confidential data 
(Federal Trade Commission, 2021c). All 50 states, Washington, DC, Guam, 
Puerto Rico, and the Virgin Islands, however, have developed legislation 
related to large-scale data or security breaches, like the Heartland Bank or 
TJX compromises (National Conference of State Legislatures, 2020b). Breaches 
can affect hundreds of thousands of victims through no fault of their own, cre- 
ating a substantive need to ensure that consumers are protected. California was 
the first state to develop such a law in 2003, titled the California Security Breach 
Notification Act (Cal. Civil Code). This legislation required California residents 
to be notified of a breach whenever a database compromise leads to the loss of 
an individual’s first and last name along with any of the following information: 
(1) social security number, (2) driver’s license number or California State ID 
card number, or (3) an account, debit, or credit card number in combination 
with any security information that could be used to authorize a transaction, such 
as the three-digit security code on the card. 

This law was designed to serve as a safeguard for consumers in the event that 
a breach led to the loss of sensitive information. Additionally, this legislation 
validated the idea that companies and organizations are obliged to protect con- 
sumer data from harm. The nearly unanimous passing of this legislation led 
other states to develop their own language pertaining to breach notifications. 
Though all parts of the United States currently have laws in place, they differ in 
the extent to which a breach is defined, what entities must comply with the law, 
and the extent to which data must be protected. This will no doubt continue 
to evolve as the threats to large databases of information change and increase 
with time. 

Many nations around the world have also criminalized identity crimes in some 
fashion, though their statutes may not actually include this phrase. For instance, 
India utilizes the phrase “identity theft” in their criminal code under Section 
66C, making the fraudulent or dishonest use of passwords or unique identity 
information punishable by up to three years in prison and fines (Brenner, 2011). 
Australia does not use this phrasing in its Criminal Code Amendment Act 2000 
in section 135.1, but this new code recognizes general dishonesty where a per- 
son is guilty if they do anything with the intention of dishonesty, causing a loss 
to another person, and that person is a Commonwealth entity (Brenner, 2011). 

Canada’s federal Criminal Code also has multiple sections related to iden- 
tity crimes. Under section 402.2, anyone who knowingly obtains or possesses 
another person’s identity information, such that the data can be used to commit 


some form of fraud or deceit, can be subject to up to five years in prison (Holt 
& Schell, 2013). Additionally, Section 403 criminalizes the fraudulent use of 
another person’s identity information to (1) gain advantage for themselves or 
others, (2) obtain or gain interest in property, (3) cause disadvantage to the 
person being impersonated or others, or (4) avoid arrest or prosecution (Holt & 
Schell, 2013). Any violation of this statute can be punished with a prison sen- 
tence of up to ten years in total. 

The United Kingdom utilizes similar language regarding fraudulent or dis- 
honest use in order to gain advantage or cause another person to lose in some 
fashion in its Fraud Act of 2006. This statute applies specifically to England, 
Wales, and Northern Ireland and also identifies three forms of fraud, including 
false representation of facts or laws, failure to disclose information when legally 
mandated, and fraud based on abuses of individual power to safeguard or protect 
personal or financial information (Holt & Schell, 2013). Similarly, the United 
Kingdom’s Data Protection Act 1998 provides protections for personal data 
held by companies and persons, ensuring it is not only up-to-date, but accu- 
rately maintained, and able to be viewed by each individual to ensure that it 
correct (Holt & Schell, 2013). 

The EU Convention on Cybercrime (CoC) also includes two articles per- 
taining to computer forgery and fraud, though it does not use the phrase identity 
fraud or theft (Brenner, 2011). The CoC requires nations to adopt legislation 
criminalizing access, input, deletion, or suppression of data that leads it to be 
considered as inauthentic or fraudulent, even though it would otherwise be 
treated as though it were authentic data (Brenner, 2011). Additionally, the CoC 
criminalizes the input or alteration of data and/or interference with computer 
systems with the intent to defraud or procure economic gain and cause the loss 
of property of another person. This language directly applies to various forms 
of online fraud and data theft, making it a valuable component for the develop- 
ment of cybercrime law globally. 


Investigating and Regulating Fraud Globally 


The myriad forms of fraud that can be perpetrated, coupled with the potential 
for fraudsters to victimize individuals around the world, makes this a difficult 
form of crime to investigate. In the United States, local law enforcement agen- 
cies may serve as a primary point of contact for a victim, as do the offices of 
state Attorneys General, who typically act as information clearinghouses for 
consumer fraud cases. Additionally, states’ Attorneys General offices can accept 
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complaints on behalf of fraud victims and can help to direct individuals to 
the correct agency to facilitate investigations when appropriate. It is important 
to note that federal agencies will be responsible for cases where the victim and 
oftender reside in different states or countries. We will focus our discussion on 
the primary federal agencies in various nations which are responsible for the 
investigation of online fraud due to the fact that the majority of online fraud 
cases involve victims living in a separate jurisdiction from their offender (Inter- 
net Crime Complaint Center, 2020). 

The United States Secret Service is one of the most prominent federal 
law enforcement bodies involved in the investigation of online fraud in the 
United States. The Secret Service was initially part of the US Department of the 
Treasury and had a substantive role in investigating the production of counter- 
feit currency and attempts to defraud financial payment systems (Moore, 2010). 
As banks and financial industries came to depend on technology in the 1980s 
and 1990s, the Secret Service increasingly investigated Internet-based forms of 
fraud. Today, the cyber operations of the Secret Service include the detection, 
criminal investigations, and prevention of financial crimes, including counter- 
feiting of US currency, access device fraud (including credit and debit fraud), 
complex cybercrimes, identity crimes and theft, network intrusions, bank fraud, 
and illicit financing operations (US Secret Service, 2020). Financial institution 
fraud (FIF) offenses typically involve the use of counterfeit currency created in 
part by computers and sophisticated printing devices, as well as checks and other 
protected financial products (Moore, 2010). Access-device fraud, whereby an 
individual utilizes credit card numbers, PINs, passwords, and related account 
information to engage in acts of fraud, is also a high priority of the Secret Ser- 
vice. The practices of carders are of particular interest to the Secret Service, 
as the sale and use of dumps and other financial information constitute acts of 
access-device fraud. Another area of interest involves the investigation of gen- 
eral acts of fraud involving computers and systems of “federal interest,” such that 
they play a role in, or directly facilitate, interstate or international commerce 
and government information transfers (Moore, 2010). This is a very broad area 
of investigation, including hacking offenses and the use of computers as storage 
devices to hold stolen information or produce fraudulent financial materials. As 
a result, the Secret Service has been given the power to investigate a wide range 
of cybercrimes. 

To help ensure successful detection, investigation, and prosecution of these 
crimes, the Secret Service also operates so-called Cyber Fraud Task Forces 
(CFTFs) across the globe (US Secret Service, 2020). These task forces are 
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brand new as of 2020, and integrate the capacities of the former Electronic 
Crimes Task Forces (ECTF) and Financial Crimes Task Forces (FCTF) pro- 
grams. There are now 42 of these CFTFs across the country, and operate as a 
sort of global network of task forces to respond to the variety of financial fraud 
and theft affecting local, state, and federal agencies, as well as the private sector. 

In addition to the Secret Service, the Federal Bureau of Investigation (FBI) 
plays a prominent role in the investigation of cybercrime, including online fraud. 
The FBI is considered the lead federal agency for investigating various forms of 
cybercrime (FBI, 2021). The FBI also identified internet fraud and identity theft 
as top crimes of interest (FBI, 2021). This is a change for the Bureau, which had 
a focus on traditional forms of white collar crime and fraud in the real world until 
the early 2000s, when Internet use became nearly ubiquitous across the indus- 
trialized world. The expansion of FBI investigative responsibilities into online 
fraud is in keeping with their general role in the investigation of cyberattacks 
against national infrastructure and security (FBI, 2021). Criminal entities, terror- 
ist groups, and even nation-states may have a vested interest in identity theft in 
order to fund various illicit activities and generally harm the economic safety of 
the nation and its citizens. Thus, both the Secret Service and the FBI now play a 
role in the investigation of online fraud. This creates potential investigative chal- 
lenges as investigators across agencies must find ways to coordinate operations 
in order to avoid the duplication of effort and de-conflict which criminal actors 
may be working with law enforcement (see Box 6.6 for details). 

The FBI also houses the Internet Crime Complaint Center (IC3) within 
its Cyber Operations Division. The IC3 Unit is staffed by both FBI agents and 
professional staff with expertise in the prevention, detection, and investigation 
of cybercrime. They also partner with industry representatives, such as Internet 
service providers, financial institutions, and online retailers, as well as with reg- 
ulatory agencies and local, state, and federal law enforcement agencies to under- 
stand the scope of various forms of online fraud. Victims can contact the agency 
through an online reporting mechanism that accepts complaints for a range of 
offenses, though the most common contacts involve non-delivery of goods or 
non-payment, advance fee fraud victimization, identity theft, auction fraud, and 
other forms of online fraud driven via spam (Internet Crime Complaint Center, 
2020). In turn, victims may be directed to the appropriate investigative resources 
to further handle complaints. 


ORO 
For more on the IC3, go online to: https://www.ic3.gov/# ra 
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Box 6.6 The Overlapping Role of the Secret 
Service and Federal Bureau of 
Investigation 


Crime Boards Come Crashing Down 


http://archive.wired.com/science/discoveries/news/2007/02/72585? 
currentPage=2 


While Thomas had been working on the West Coast for the FBI, the 
Secret Service’s New Jersey office had infiltrated Shadowcrew sepa- 
rately, with the help of a confidential informant, and begun gathering 


evidence against carders on that site. 


This article provides an overview of the relationships between the FBI and 
Secret Service in the investigation and takedown of the group “the Shad- 
owcrew’ and subsequent investigations of other hacker groups. 


The US Immigration and Customs Enforcement (ICE) and Customs 
and Border Patrol (CBP) agencies also have an investigative responsibility 
regarding financial crimes, fraud, and counterfeiting. Given that CBP agents 
monitor border crossings and ports, they serve a pivotal role in the identification 
of attempts to smuggle in cash and currency, as well as use or transfer fraudulent 
documents. ICE is the largest investigative agency within the Department of 
Homeland Security, Homeland Security Investigators (DHS HSI), including 
ICE agents, investigate a wide variety of crimes in order to protect “the United 
States against terrorist and other criminal organizations who threaten [US] 
safety and national security and transnational criminal enterprises who seek to 
exploit America’s legitimate trade, travel, and financial systems” (Immigration 
and Customs Enforcement, 2021). In order to prevent or investigate terrorist 
acts and criminal behavior, they investigate the flow of people, money, drugs, 
guns, fraudulent items, and other items across US national boundaries. There- 
fore, ICE and other HSI investigators play a major role in investigating identity 
crimes, fraud, and smuggling (Immigration and Customs Enforcement, 2021). 

In the United Kingdom, the primary agency responsible for managing fraud 
between 2008 and 2014 was the National Fraud Authority (NFA), which was 
formed in order to increase cooperation between both the public and private 
sector (National Fraud Authority, 2014). The NFA acted as a clearinghouse 


for information on various forms of fraud and reports on the scope of fraud in 
any given year through the publication of the Annual Fraud Indicator report. 
Through assessments of threats to the public and not-for-profit sectors, this 
report attempted to estimate the total costs of fraud to United Kingdom resi- 
dents each year (National Fraud Authority, 2014). In March 2014, NFA func- 
tions were transferred to other agencies (National Fraud Authority, 2017). NFA 
staff that were working on strategic development and threat analysis were trans- 
ferred to the National Crime Agency (NCA). The NCA addresses serious 
and organized crime in the United Kingdom, including cybercrime, fraud, and 
other Internet crimes. They operate the National Cyber Crime Unit which 
“leads the UK’s response to cybercrime, supports partners with specialist capa- 
bilities and coordinates the national response to the most serious of cyber crime 
threats” by working with Regional Organized Crime Units, the Metropoli- 
tan Police Cyber Crime Unit, industry, and law enforcement and government 
agencies (National Crime Agency, 2021). Within the NCA, the Economic 
Crime Command focuses on reducing the impact of economic crime, including 
money laundering, fraud, and counterfeit currency, on the United Kingdom. 
Action Fraud, which was housed in the NFA, was transferred to the City of 
London Police (Action Fraud, 2021). Action Fraud is a reporting service that 
enables citizens and businesses to file reports of fraud online or via phone and 
obtain information about how to better protect themselves from being victim- 
ized. In fact, the Action Fraud service is similar to that of the US IC3, in that 
victim complaints are forwarded to law enforcement In this case, Action Fraud 
reports are examined by the City of London Police and the National Fraud 
Intelligence Bureau (NFIB), operated by the City of London police, for 
further investigation (Action Fraud, 2021). The NFIB collects information on 
various forms of fraud and aggregates this data along with reports from business 
and industry sources into a large database called the NFIB Know Fraud system. 
Analysts can query this database to generate intelligence reports on the credibil- 
ity of fraud reports and develop information that can be used to pursue criminal 


charges or other operations to disrupt fraudsters (Action Fraud, 2021). 


For more on reporting fraud in the United Kingdom, go online 


to: www.actionfraud.police.uk/report_fraud 


Canada also utilizes a similar fraud reporting structure called the Canadian 
Anti-Fraud Centre (CAFC), which is a joint effort of the Royal Canadian 
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Mounted Police, Ontario Provincial Police, and the Competition Bureau Can- 
ada. The CAFC collects reports and complaints on various forms of fraud, both 
on and offline, from victims through either an online process or over the phone. 
The complaints received are aggregated and examined by the Operational Sup- 
port Unit (OSU) to develop intelligence packages and briefs for Canadian agen- 
cies and taskforces that investigate fraud, prepare fraud prevention campaigns, 
and to the private and public sector on alternative preventative measures to 
reduce the ability of fraudsters to communicate with potential victims and their 
ability to launder funds (CAFC, 2021). 

There are also a number of non-governmental organizations and groups that 
offer assistance in dealing with fraud. For instance, the Anti-Phishing Working 
Group (APWG) is a not-for-profit global consortium of researchers, computer 
security professionals, financial industry members, and law enforcement designed 
to document the scope of phishing attacks and provide policy recommendations 
to government and industry groups worldwide (Anti-Phishing Working Group, 
2021). The APWG has members from 2,200 institutions around the world, includ- 
ing financial institutions and treaty organizations, such as the Council of Europe’s 
Convention on Cybercrime and the United Nations Office of Drugs and Crime 
(UNODC). The group collects statistics on active phishing attacks provided 
by victims and researchers to provide information on the most likely targets for 
phishing attacks and shares this information with interested parties to help combat 
these crimes. Furthermore, the APWG operates various conferences designed to 
improve the detection, defense, and cessation of phishing and fraud victimization. 

The Federal Trade Commission (FTC) is a key resource for consumers 
and victims of fraud, particularly after the passing of the Identity Theft Assump- 
tion and Deterrence Act of 1998. The FTC is an independent watchdog agency 
within the federal government responsible for consumer protection and monitor- 
ing the business community to prevent monopolies and regulate fair practice 
statutes (Federal Trade Commission, 2021c). There are three separate bureaus 
within the FTC: (1) Bureau of Competition; (2) Bureau of Consumer Protec- 
tion; and (3) Bureau of Economics. The Bureau of Consumer Protection is tasked 
with the enforcement of laws related to consumer safety, fraud, and privacy pro- 
tection. This Bureau is staffed with attorneys who have the power to pursue cases 
against various forms of fraud and identity crimes. In particular, the FTC serves 
as a key reporting resource for consumer complaints of identity crimes though 
both an online and telephone-based reporting mechanism. It is important to note 
that the FTC does not pursue individual claims to any resolution. Instead, the 
aggregation of reporting information is used to determine when and how federal 


lawsuits may be brought against specific groups or to develop legislation to pro- 
tect consumers. The FTC also operates a spam-reporting database to help track 
the various scams that are used by fraudsters over time. Finally, they offer a variety 
of consumer-focused publications that discuss the risks for identity theft and ways 


to protect credit scores, bank accounts, and other sensitive information. 


For more consumer information from the FTC, go online to: 


www.consumer.ftc.gov 


The FTC is also increasingly involved in the regulation and monitoring of 
online advertising campaigns. As consumers increasingly utilize e-commerce 
sites in the course of their shopping, it is vital that their rights and personal infor- 
mation are safeguarded from deceptive advertising practices or unfair tracking 
policies. For instance, the FTC filed a complaint against a company called Just 
in Time Tickets, Inc. in January 2021 (Federal Trade Commission, 2021b). The 
company operated a ticket broker business selling tickets for concerts, sporting 
events, and other live events at a premium price. 

What the company did not explain to consumers was that it utilized auto- 
mated software, colloquially known as bots, to purchase tickets at their face 
value when they went on sale for events (Federal Trade Commission, 2021b). 
The FTC was empowered to take legal action against the company on the basis 
of little-known law called the Better Online Ticket Sales (BOTS) Act. 
This act, implemented in 2016, was designed to limit the use of automated 
software to purchase tickets for events, and gave the FTC the power to pursue 
legal action for violations of the law. As a result, the company was required to 
pay $3.7 million in damages to consumers (Federal Trade Commission, 2021b). 

There are similar entities for data protection across the world, such as the UK’s 
Information Commissioner’s Office (whose main purpose is to protect the pub- 
lic’s information rights and privacy) (ICO, 2021), the Australian Government’s 
Office of the Australian Information Commissioner (OAIC) (OAIC, 2021), and 
Spain’s Agencia Espafiola de Proteccion de Datos (AEPD) (AEPD, 2021). These 
agencies provide detailed information on governmental regulations, the protec- 
tions that should be in place for personal data, and what individuals should do in 
the event that they are victimized in some fashion. Additionally, these agencies 
may work together to share information and investigate some forms of offend- 
ing. For instance, these nations all have a collaborative working agreement with 
the FTC to collect data on spam and other consumer threats (Lake, 2020). 
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Summary 


As a society, we have increasingly come to depend on the Internet and computer 
technology to manage most every aspect of our financial lives. This has unparal- 
leled benefits in that we can track expenses and monitor our purchases in near real 
time. Our ability to connect to others and to pay for purchases has also increased 
the opportunities for fraudsters to take advantage of vulnerable populations. The 
use of email-based scams allows individuals to create convincing replicas of mes- 
sages from legitimate service providers and vendors. Consumers must now be 
extremely cautious about accepting what they see in online messages at face value. 
The amount of sensitive information about our financial and personal lives that 
is now outside of our regulation has also created opportunities for fraud that are 
beyond our control. Fraudsters can now victimize hundreds of thousands of peo- 
ple in a short amount of time and gain a substantial profit from the sale of this data. 

The response from the criminal justice and financial sector to these crimes has 
improved greatly over the last decade. There are still great challenges involved 
in the detection, investigation, and successful prosecution of these cases due 
to the jurisdictional challenges that may exist. Since offenders and victims can 
be hundreds, if not thousands, of miles away from one another, it is difficult 
to arrest responsible parties or even make victims whole through restitution. 
Thus, we must continually improve consumer awareness of fraud to reduce the 
likelihood of victimization and simultaneously expand the capabilities of law 
enforcement to respond to these crimes. 
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Discussion Questions 


1. As we continue to adopt new technologies to communicate, how will 


scammers utilize these spaces? For instance, how might a scammer use 


FaceTime or TikTok to lure in prospective victims? 


2. What demographic groups seem most susceptible to fraud schemes, like 
romance scams? Why do you think this might be the case? 

3. What steps and techniques can individuals use to reduce their risk of 
victimization via a data breach or other non-interactive forms of fraud? 

4, How can nations work together better to address fraud? What is a nation 


supposed to do if its citizens are routinely victimized online by citizens of 


another nation which refuses to do anything about it? 
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Chapter Goals 


e Connect the evolution of pornography with technology 

e Explore the impact of image-based sexual abuse on victims 

e Examine the role of the Internet in prostitution 

¢ Know the laws pertaining to obscenity and image-based sexual abuse 

e Explore the role of self-regulation in dealing with obscenity around 
the world 


Introduction 


Computer-mediated communications allow individuals to easily engage in sex- 
ually explicit discussions, view pornography (Lane, 2000), and commit more 
serious acts, including creating, disseminating, downloading, and/or viewing 
pedophilia and child pornography (Durkin & Bryant, 1999; Quayle & Taylor, 
2002). In addition, the Internet has engendered the formation of deviant sub- 
cultures that were otherwise unlikely or limited in the real world (see Quinn & 
Forsyth, 2005). Individuals can connect with others who share their interests to 
find social support and information sharing. Virtual environments provide an 
opportunity for deviants to connect and communicate without fear of reprisal 
or scorn, though their actions may often take place in the real world (Quinn & 
Forsyth, 2005). 

As a result, the Internet now provides resources that cater to all individuals, 
regardless of sexual orientation or preferences. Additionally, these services can 
be arrayed along a spectrum from legal but deviant to illegal and strongly sanc- 
tioned depending on the nature of the content and the laws of a given country 
(Quinn & Forsyth, 2005). For example, there are a number of service providers 
offering completely legal resources to connect individuals together, such as dat- 
ing apps like Tinder, Bumble, and Match.com. These sites allow individuals to 
make personal profiles noting their likes and dislikes, connect with others who 
share their interests, and potentially meet offline for a date or build a long-term 
relationship. Similar services also exist that are designed to facilitate short-term 
sexual encounters, including extramarital affairs, based on personal profiles that 
connect interested parties together. Websites like AshleyMadison.com, Victo- 
ria Milan, and Casualx have become extremely popular to connect people for 
overt, short term casual sex between people, regardless of their involvement in 
monogamous relationships (Bort, 2013). 


Pornography, IBSA, and Prostitution 


In addition to content designed to facilitate sexual and/or romantic relation- 
ships, a great deal of pornography, defined broadly as the representation of 
sexual situations and content for the purposes of sexual arousal and stimulation 
(Lane, 2000), is available online. These erotic writings, photos, video, and audio 
content, which are easily accessible, are largely legal, but may be viewed as devi- 
ant depending on the social norms and values within a community (Brenner, 
2011). In the United States and most Western nations, pornographic content is 
legal so long as the participants (or those depicted in the work) are over the age 
of 18 and the consumer is of legal age. Some content, such as sex between 
animals and humans, rape or physical harm, and images featuring children and 
minors, are illegal (Quinn & Forsyth, 2013). The lack of boundaries in online 
spaces, however, makes it hard to completely regulate or restrict individuals’ 


access to this content. 


For more on the legal status of pornography, go online to: http:// 
en.wikipedia.org/wiki/Pornography_by_region 


The availability of pornography and erotica has enabled individuals to find 
content that appeals to any interest, no matter how unusual. In fact, there is now 
a wide range of online content providers that cater to specific sexual fetishes, 
where individuals experience sexual arousal or enhancement of a romantic 
encounter based on the integration of physical objects or certain situations 
(Quinn & Forsyth, 2013). Fetishes can include anything from wearing high 
heels or a certain type of clothing (e.g., nursing or police officer uniforms), to 
more extreme acts, including sex with animals (bestiality) or the dead (necro- 
philia). The range of subjects that are now featured in pornographic content 
online has led to the concept of “Rule 34,” which essentially states that “if it 
exists, there is pornographic content of it” (Olson, 2012). 


For more on sex work, go online to: http://rabble.ca/books/reviews/ 
2014/05/working-it-sex-work-labour 


Technology also facilitates traditional prostitution in the real world, where 
individuals pay for sexual encounters with another person. For instance, clients 
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of sex workers use forums and other computer-mediated communications 
(CMCs) to discuss the sexual services available in a location and the acts that sex 
workers will engage in (Holt & Blevins, 2007; Milrod & Monto, 2012; Weitzer, 
2005). Sex workers use websites, blogs, and email in order to arrange meetings 
with clients and vet them before they meet in the real world (Cunningham & 
Kendall, 2010). Though these communications are not illegal, laws pertaining 
to the act of prostitution vary from country to country (Weitzer, 2012). Some 
nations, such as the United States, Russia, and China, have criminalized both 
the sale of and solicitation of sex. Other nations including Sweden, Norway, 
and Canada have made it illegal to pay for sex as a client, though sex workers 
can legally engage in prostitution. Still other nations have legalized prostitution 
entirely, such as the United Kingdom, though they may have laws against cer- 
tain activities such as soliciting sex in public places (Weitzer, 2012). For those 
nations that have criminalized both the solicitation and sale of sex, technology is 
making it easier for both clients and providers to reduce their risk of detection 
and arrest. 

Technological innovation and sexuality have clearly been intertwined since 
the first human attempted to paint on cave walls (Lane, 2000). This relationship 
has been brought to the forefront as we now utilize devices that can record 
and transmit any and all of our activities to others. As a result, this chapter will 
consider the ways that humans use technology to engage in various forms of 
sexual expression. In addition, the chapter will discuss how the intersectionality 
of technology and sexual exploration has influenced sexting and the traumatic 
consequences of revenge pornography or image-based sexual abuse (IBSA) on 
victims. We will also explore the impact of technology on paid sexual encoun- 
ters, or prostitution, which has been in existence since the emergence of society. 
Finally, we cover the complex legal structures used to define obscenity and por- 
nography, as well as the wide range of well-connected agencies that investigate 
these offenses. 


Pornography in the Digital Age 


Prior to the Internet and consumer access to digital media, the production of 
sexual materials was primarily limited to professional production studios and 
artists. Amateurs were able to write their own erotic fiction and paint or sculpt 
images, though they may vary in quality. The development of audio and visual 
recording equipment in the 19th century revolutionized the creation of sexual 
images. No longer were individuals limited to line drawings or other artistic 
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representations of sexual images; instead, the human body could be represented 
as it was in real life (Yar, 2013). The first photographs featuring nudes were 
popularized by Louis Daguerre of France as a means to support the training 
of painters and other artists. Due to the process of photography at this time, it 
took between 3 and 15 minutes for an image to be captured, making it virtually 
impossible to present individuals engaged in actual sex acts (Lane, 2000). As 
photographic processing evolved in the 1840s and 1850s, the cost of creating 
images decreased, allowing nudes and erotic photos to be sold at a cost the mid- 
dle class could easily afford. Images of nudes were also printed on postcard stock 
and sent through the mail to others, becoming colloquially known as “French 
postcards” (Lane, 2000). 

The development of motion picture films in Europe in 1895 was followed 
almost immediately by the creation of the first erotic films (Lane, 2000). In 
1896, the film Le Coucher de la Marie was made by Eugene Pirou and showed a 
woman engaging in a striptease. Shortly thereafter, European and South Amer- 
ican filmmakers produced films featuring actual sex between couples, such as A 
L’Ecu d’Or ou la Bonne Auberge from 1908 and Am Abend from 1910. 

Producing erotic images or pornographic films during this period was 
extremely risky, as social mores regarding sex were very different from those of 
today. Until the Victorian era of the mid-1800s, there were few laws regarding 
possession or ownership of sexual images and objects. In fact, the world’s first 
laws criminalizing pornographic content were created in the United Kingdom 
through the Obscene Publications Act (OPA) of 1857 (Yar, 2013). This 
act made it illegal to sell, possess, or publish obscene material, which was not 
clearly defined in the law. Law enforcement could also search, seize, and destroy 
any content found, which was a tremendous extension of police powers at the 
time (Lane, 2000). Shortly thereafter, similar legal structures began to emerge 
throughout Europe and the Americas in order to help minimize the perceived 
corrupting influence of such content on the masses. 

As a way to skirt these laws, pornography producers began to market their 
materials as either art materials or celebrations of health or nature, such as nudist 
lifestyles. Gentlemen’s magazines also included images and drawings of nudes. 
The development of Playboy magazine in the 1950s epitomized the attempt 
to combine tasteful nudity coupled with traditional content regarding fashion, 
fiction, and news stories (Lane, 2000). These works pushed conventional atti- 
tudes toward perceived obscene content in mass media, while underground 


publishers were producing images of sexual intercourse and fetish materials that 


were sold through direct mail and in less reputable stores. These materials often 
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drew the attention of law enforcement, though social standards began to soften 
in the late 1960s and 1970s toward erotica and pornography. As a result, mag- 
azines and films became more prevalent and could be purchased at newsstands 
and some retailers, leading to a range of publications from Hustler to Penthouse 
(Lane, 2000). 

Social attitudes toward obscene content evolved concurrently with techno- 
logical innovations that became available to consumers in the 1970s through 
1990s. In the 1970s, the development of the Polaroid instant camera and rela- 
tively affordable home video recording equipment made it easier for individuals 
to create their own pornographic media in the privacy of their own homes 
(Lane, 2000). The creation of the video cassette during the 1970s was also 
revolutionary, as consumers could record content using inexpensive recording 
cameras that put images onto blank tapes rather than film stock. Thus, individ- 
uals could film their own sexual experiences and could then watch them using 
video cassette recorders (VCRs) in their own homes on demand. These 
affordable devices revolutionized the production of pornography, so much so 
that the pornographic film industry began to record using video home system 
(VHS) tapes rather than actual film stock. As a result, the industry exploded and 
became extremely profitable due to low costs and high volume sales and rentals. 
Similarly, amateur content became increasingly possible as consumers owned 
the equipment needed to make their own sex tapes at home. 

As technology continued to improve in the late 1990s with the expansion of 
the World Wide Web, individuals began to experiment with how they could 
use computers and media to create sexual images in their own homes without 
the need for major distribution through existing publishers (Yar, 2013). Digital 
cameras, web cams, and high-speed Internet connectivity allowed individuals 
to develop materials to sell directly to interested parties, regardless of whether 
they worked with existing pornography producers or on their own out of their 
own homes. 

One of the prime examples of such a story is that of Sandra and Kevin Otter- 
son, or Wifey and Hubby, who have operated their own pornographic web- 
site selling content that they produce since 1998 (Cromer, 1998). The couple 
had no prior involvement in the pornography or sex industry but were simply 
interested in sharing images of themselves. Kevin first posted scanned images 
of Polaroid pictures of his spouse on a Usenet group in 1997 and received 
extremely positive feedback from others. They continued to post pictures and 
eventually started to sell the materials through direct mailing. Their website first 
came online in January 1998 and had a monthly fee of $9.95 in order to access 
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pictures, videos, and additional content that could be purchased through the 
real world. At the time, the couple estimated that they had made a few hundred 
thousand dollars from the sale of their content (Cromer, 1998). 

The popularity of the web and computer technology led to a massive explo- 
sion of adult content online. In fact, there were some questions as to the impact 
that immediate access to pornography could have on society as a whole. A study 
which exacerbated this issue was published by an undergraduate student named 
Martin Rimm at Carnegie Mellon University in 1995 who attempted to docu- 
ment the scope of pornography online at the time (Godwin, 2003). His study, 
commonly referenced as the Carnegie Mellon Report, suggested that over 
80 percent of images on the Internet involved sexually explicit content. The 
report’s findings led to tremendous coverage in major news outlets, like Time 
magazine and Nightline, about the threat of cyberporn (Godwin, 2003). Policy- 
makers began to call for restrictions on pornographic content on the Internet, 
which created a small moral panic over how youth may be corrupted by the 
ability to see pornography online. Shortly after this firestorm began, academics 
began to review the methods employed in his work and discredited its findings 
based on limited methods and questionable ethics (Godwin, 2003). Regardless, 
Rimm’s work had long-standing impact on the perceived availability of por- 
nography on the Internet and affected legislation to deal with obscene content. 


For more on the fallout from the Carnegie Mellon Report, go 
online to: www.columbia.edu/cu/21stC/issue-1.2/Cyber.htm 


Even now, the evolution of applications, high-quality digital cameras in 
mobile phones and tablets, and online outlets are affecting the production of 
pornography and adult content. The photo-sharing application SnapChat, 
which deletes images after being viewed by the recipient, has a base of users 
who have monetized the service as a mechanism to produce pornographic pho- 
tos and videos. Individuals need only set up a premium account, where others 
pay to view the user’s content via various services like PayPal (Moloney, 2019). 
Individuals have also used sites like Instagram as a means to advertise their own 
content. Interested parties can become subscribers to a content creator’s feed 
on Patreon or OnlyFans and get access to all the materials they generate (Zen, 
2020). Not only do amateurs use these sites, but so do traditional porn stars, 
as well as celebrities like Cardi B and Amber Rose (Rana, 2020). As a result, 
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estimates from OnlyFans indicates that content creators have been paid over 
$1 billion via subscriber fees (Rana, 2020). 

The popularity of photos and videos taken by amateurs using mobile phone 
cameras, whether voluntarily or as “revenge porn” (discussed below), has cre- 
ated a unique demand for this content. Not only have professional pornography 
producers simulated this content with professional performers, but individuals 
also share amateur content with others online via forums and file sharing sites. 
The desire for amateur content may have been part of the driving force for the 
release of illegally acquired photos and videos of multiple celebrities on 
August 31, 2014 (Drury, 2015). The images initially appeared on the website 
4chan, but later appeared on a range of websites around the world, and has been 
referred to as The Fappening (slang for masturbation), or Celebgate due to 
the target of the releases. The content of major and minor celebrities who were 
iPhone users were acquired through phishing schemes to obtain their user- 
names and passwords (Drury, 2015). In turn, several hackers gained access to 
hundreds of celebrities’ content hosted on the Apple iCloud storage platform. 
The images acquired were shared widely across the web, though attempts to 
remove the content from websites or blogs are always defeated by individuals 


who repost it elsewhere. 


For more on the ways that celebrity data was acquired from 
iCloud, go online to: https://www.zdziarski.com/blog/?p=3783 


The Internet also facilitates paid sexual services of all kinds, which operate 
at varying degrees of legality. The development of high-speed Internet con- 
nectivity and live-streaming video feeds allow male and female performers to 
engage in sex shows on demand where they are paid for their time (Roberts 
& Hunt, 2012). Sites like LiveJasmin and CamSoda provide access to perform- 
ers who engage in text-based conversations with individuals viewing them on 
streaming-video feeds and take requests for specific behaviors or sexual acts. In 
turn, the performer can be taken into a private session where the viewer pays 
by the minute to interact with and direct the performer to engage in various 
activities (Roberts & Hunt, 2012). Though these exchanges do not involve 
actual physical contact between the provider and client, making the encounters 
completely acceptable from a legal standpoint, the acceptance of payment makes 


this a form of sex work. 
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Box 7.1 The Growth of VR Porn Content in 2020 


More and More People Are Turning to VR Porn during 
Self-lsolation for Comfort from Depression, Anxiety, and 
Frustration 


https://www.insider.com/adult-entertainment-industry-seeing-rise- 


in-vr-porn-isolation-2020-3 


Daniel Abramovich, the CEO and cofounder of VR Bangers, told 
Insider his company has seen a 30% growth in sales since the coronavi- 
rus lockdown began. He said this is probably because “people are going 


crazy at home.” 


This article gives an assessment of the increased proportion of porn site vis- 
its and use of VR pornography during the COVID-19 shutdowns globally. 


As technology continues to evolve, pornography producers have also 
attempted to stay current with new trends. In particular, the pornography indus- 
try is creating content specifically for use in virtual reality (VR) headsets, where 
individuals insert their smartphones into a special wearable headset-cradle that 
produces an entirely immersive experience (see Box 7.1 for more detail). Scenes 
are shot specifically for VR users using multiple cameras and are edited so as to 
place the viewer directly into the scene. Regardless of the acceptance of VR as 
a new media platform, this example clearly demonstrates that the landscape of 
porn will continue to evolve in tandem with our use of popular technologies. 


Image-Based Sexual Abuse 


As technologies have improved over the last two decades, the ability for humans 
to connect in real time has increased dramatically. In the early days of the web, 
bulletin board systems (BBSs) and chat rooms gave people the ability to talk via 
text, though this lost some of the context of facial and emotional expression, 
such as laughter or anger. As camera and video technology evolved, so did 
its use online through the introduction of Skype and other video-chat pro- 
grams. The inclusion of cameras in virtually all computing devices has led to 


the growth of social media platforms focused on sharing photos and videos with 


others, such as Snapchat and Instagram. 
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As a result, an increasingly large number of people are using these technolo- 
gies to enhance their romantic relationships or flirt with others, though this was 
not perhaps the intention of the developers. People can send photos or videos of 
themselves in provocative outfits or engage in sexually suggestive activities with 
great ease through text messaging. This activity, colloquially called sexting, has 
become popular as it is perceived as a way to attract or stimulate a prospective 
partner with a degree of security since it is directed toward only one recipient, 
rather than routed through an email client, which might make the content vis- 
ible to others (Mitchell et al., 2012). In fact, the impact of sexting on popular 
culture can be seen in songs such as the 2015 Top-40 rap song by Yo Gotti 
called “Down in the DM” which explores the process of sending and receiving 
nude images via social media sites. 

The seemingly common practice of sexting has led researchers to examine 
the prevalence of this activity among young people. Estimates of the prevalence 
of sexting vary by place, but have consistently increased over time (Madigan 
et al., 2018). A recent meta-analysis of American studies indicated an average 
of 14.8 percent of high school students sent sexts, and 27.4 percent received 
sexts (Madigan et al., 2018). In Australia, researchers have reported substan- 
tially wider uptake. For example, Lee et al. (2015) found that two-thirds of a 
large convenience sample of Australian high school students had received a sext 
and almost half reported they had sent a sext of themselves (also see Patrick 
et al., 2015). 

Regardless of the proportion of people who engage in sexting, it is important 
to know that the instant the photo or video is sent, it is no longer something 
that the sender can control. Even content sent via social media sites like Snap- 
chat, that suggest no user content is retained, can still be captured via screen- 
shots. A recipient can easily circulate the content to others or repost the image 
on a social media site, like Facebook, to embarrass the sender (Mitchell et al., 
2012). Worse still, a number of websites have emerged specifically for individu- 
als to post sexual images and videos they received or acquired for others to see. 
These sites are often referred to as revenge porn, as people often post content 
they received from an intimate partner after a relationship sours, or by hacking 
someone’s phone or email account in order to acquire pictures and embarrass 
the sender (Halloran, 2014). 

The release of revenge pornography, or the uploading of nude or seminude 
images or videos of others without their consent (Bates, 2017), has become pop- 
ular, leading to the development of multiple websites dedicated to such content. 
For instance, the website IsAnyoneUp.com, which was subtitled “Pure Evil,” 
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was created by Hunter Moore in 2010 (Dodero, 2012). He began to post pic- 
tures of a woman who continuously sent him sexual images on a blog space and 
provided a link for others to submit photos to be posted. As content began to 
roll in — some from hackers, some from ex-girlfriends and boyfriends, and some 
from individuals just interested in seeing themselves online — Moore would 
link the photos to the Facebook or Twitter page of the individual featured 
(Dodero, 2012). The site became quite popular, though it drew substantial crit- 
icism from individuals who were unwittingly featured on the site. As a result, 
Moore sold the site to an anti-bullying group in 2012, arguing that he was no 
longer able to support the site due to its expenses and the difficulties of report- 
ing the submitted images of child pornography to law enforcement. Eventually, 
Moore and a hacker he worked with were indicted in January 2014 in federal 
court on 15 counts of violations of the Computer Fraud and Abuse Act on the 
premise that photos were acquired through the use of hacking techniques and 
identity theft (Liebelson, 2014). Both were eventually found guilty, though 
some argue their sentences were too lenient relative to the impact they had on 


their victims’ lives (see Box 7.2 for more discussion). 


Box 7.2. The Impact of Image-Based Sexual Abuse 
on Its Victims 


Hunter Moore Revenge Porn Victim Got a Whopping $145.70 
in Restitution 


http://motherboard.vice.com/read/hunter-moore-revenge-porn-victim- 


got-a-whopping-14570-in-restitution 


The $145.70 is being paid to a single victim, identified only as L.B. Her 
email account was hacked in 2011 by Moore’s co-defendant, Charles 
Evens, who was sentenced to 25 months in prison last week. Hunter 
Moore paid Evens to acquire as many hacked photos as possible. 


This article provides a discussion of the outcome of the prosecution of 
Hunter Moore and Charles Evens, who published sexual images of mul- 
tiple women on the website isanyoneup.com. The issue of victim resti- 
tution relative to the impact that the publication of revenge porn content 
has on their lives is explored, giving context to the need for greater legal 


solutions to assist individuals whose lives have been affected. 
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Studies have shown that revenge pornography is a significant and growing 
problem in both youth and adult samples. Estimates vary based on sampling, 
methodology, and definitional differences. Crofts et al. (2015) found that one in 
five young people reported showing a nude image of an individual to another 
without the depicted person’s permission. For adults, victimization rates for the 
nonconsensual sharing of nude images generally range between 1 and 12 per- 
cent (Henry & Flynn, 2020). For example, 8 percent of a sample of Facebook 
users reported that someone had posted a sexually explicit image or video of 
themselves without their permission (Eaton et al., 2018). Similarly, 10 percent 
of an Australian sample reported that a nude image of themselves has been 
shared without their consent (Powell & Henry, 2017). Unfortunately, all esti- 
mates of revenge pornography will always be underestimated because victims 
have to be aware that their images were shared or posted without their consent 
in order to be able to report their victimization (Henry & Flynn, 2020). 

Victims of revenge pornography may suffer serious consequences as a result 
of their images being shared either privately and/or publicly without their per- 
mission. Victims often experience shame and humiliation as well as significant 
mental health problems resulting from this traumatic and possibly repeating 
victimization, including anxiety, depression, post-traumatic stress disorder, and 
suicidal thoughts (Bates, 2017; Powell et al., 2018). The Cyber Civil Rights 
Initiative (2014) found that 93 percent of IBSA victims suffered significant 
emotional distress as a result of their nude images being distributed online with- 
out their consent. Almost half (49 percent) also experienced online harassment 
or stalking by individuals who had seen the images. It is therefore not sur- 
prising that many victims are extremely fearful for their safety (Powell et al., 
2018). As a result, many victims may also self-isolate and alter both their online 
and offline behavior to avoid interacting with others (Bates, 2017). The ripple 
effects of this victimization may lead victims to lose their employment, have 
difficulties obtaining new jobs, and have challenges with future relationships 
(Citron & Franks, 2014). 

Today, many victim advocacy groups, policy makers, and scholars reject the 
term “revenge pornography” for four primary reasons (Henry & Flynn, 2020). 
First, offenders in many cases may have other motivations than revenge for 
“revenge pornography.” Second, the term leads to an over focus on offenders 
and victims who were in previous relationships and ignores other categories, 
such as offenders who take or steal nude images of the victim without their 


knowledge. Third, the term has victim-blaming connotations in that it implies 
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the victim is responsible for the creation of the nude images and behaved in a 
way that caused the offender to act in the way that they did. Fourth, the term 
brings more attention to the images themselves rather than the behavior of the 
perpetrator (Henry & Flynn, 2020). 

As a result, many scholars have transitioned from the term “revenge por- 
nography” to other terms, such as “nonconsensual pornography” (Citron & 
Franks, 2014) or more notably “image-based sexual abuse (IBSA)” (e.g., 
Powell & Henry, 2017). These terms can better capture the different behaviors 
(e.g., upskirting, downblousing, hacking someone’s computer and stealing 
images, etc.) and relationships (e.g., strangers, current relationship) that can 
exist within the unauthorized taking and sharing of nude images. In addition, 
the terms allow for examination of motivations other than revenge, such as 
monetary gain, power, sexual pleasure, and entertainment. The different terms 
hopefully also remove some of the victim blaming connotation that can occur 
when discussing “revenge pornography” and instead better capture the trau- 
matic effects this abuse has on victims. Finally, these terms focus more on the 
abusive actions of the offender than the sexual content of the images (Henry & 
Flynn, 2020). 


For more information on how to remove image-based sexual 


abuse images from the Internet, go online to the Cyber Civil 


Rights Initiative’s Online Removal Guide: https://www.cybercivil- 
rights.org/online-removal/ 


Prostitution and Sex Work 


In recent years, researchers have explored the influence of technology on what 
is arguably the world’s oldest trade — prostitution. The practice of paying for 
sex can be viewed as a sort of labor market where there is both a demand from 
clients or those who pay for the encounter and those suppliers who are paid for 
their services. 

There is a range of providers currently engaged in the sale of sexual ser- 
vices, with prostitutes who work soliciting individuals on the street comprising 
the lowest rung of sex work (Lucas, 2005). Though studies estimate street 
prostitutes compose 10-20 percent of all sex workers, they are often racial 
minorities who receive very low wages and face significantly higher rates of 
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arrest (Alexander, 1998; Cooper, 1989; Hampton, 1988; Levitt & Venkatesh, 
2007; Rhode, 1989; West, 1998). The larger proportion of sex workers oper- 
ates behind closed doors in homes, apartments, and businesses (such as massage 
parlors and strip clubs), where the risk of arrest is substantially lower. Finally, 
escorts and high-end call girls comprise the highest echelon of sex workers and 
are thought to make much higher wages than any other sex workers (Lucas, 
2005; Moffatt, 2005; Weitzer, 2000, 2005). 

Paid sexual encounters were traditionally driven by discrete face-to-face 
exchanges on the street or behind closed doors in the real world. The emer- 
gence of the Internet and CMCs has revolutionized the practice by enabling 
providers and clients to connect on a one-to-one basis at any time. For instance, 
individuals can text or email sex workers to determine their availability and set 
up meetings. In fact, many escorts now operate their own websites and blogs 


and advertise in various outlets online to attract customers. 


For more on the role of the Internet in prostitution and human 
trafficking, go online to: http://www.commercialappeal.com/story/ 
news/crime/2017/01/27/ex-mata-ceo-among-arrests-memphis-sex- 
trafficking-sting/97132652/ 


Similarly, the customers of sex workers now use the web in order to com- 
municate with others in order to gain insights into the resources available in 
their area and review the services of various providers (Blevins & Holt, 2009; 
Cunningham & Kendall, 2010; Holt & Blevins, 2007; Hughes, 2003; O’Neill, 
2001; Raymond & Hughes, 2001; Sharp & Earle, 2003; Soothill & Sanders, 
2005). These exchanges often occur in web forums and review websites and 
focus on the customer experience, including detailed discussions of the ser- 
vices offered by all manner of sex workers, as well as the attitude and behavior 
of prostitutes before, during, and after sex acts (Cunningham & Kendall, 2010; 
Holt & Blevins, 2007; Sharp & Earle, 2003; Soothill & Sanders, 2005). There 
are now numerous websites where individuals can post reviews of their expe- 
riences with sex workers (see Box 7.3 for details). In addition, these websites 
provide specific detail on the negotiation process with sex workers, final costs 
for various sex acts, and the use of condoms during encounters (Cunningham 
& Kendall, 2010; Holt & Blevins, 2007; Sharp & Earle, 2003; Soothill & 
Sanders, 2005). 
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Box 7.3. The Challenges of Escort Review Sites 


“Yelp for Sex”: Review Boards that Rate Women Flourish 
after Crackdown on Ad Sites 


https://www.nbcbayarea.com/news/local/sex-review-boards-internet/ 
151516/ 


Rarely do these men wonder aloud about whether the woman or girl 
they're reviewing is a consensual sex worker or coerced, despite evi- 
dence that at least some of the providers are victims of sex trafficking. 
Nor do they seem to consider the humanity of the other person, who 


is often boiled down to her physical attributes and objectified. 


This article provides a unique exposé on the ways that local law enforce- 
ment in the United States use escort-review websites as a means to inves- 


tigate prostitution and sex crimes generally. 


The volume of information available online provides substantive detail on 
the largely hidden processes of the negotiations between clients and sex work- 
ers operating in the streets, as well as behind closed doors (Holt et al., 2013). 
Additionally, these posts give the client’s point of view, which is often under- 
examined but critical, since their demand for sexual services affects the supply 
available. Prospective clients of sex workers who access these forums can use the 
information posted to evade high-risk areas while identifying and acquiring the 
sexual services they desire. This may decrease the success of law enforcement 
efforts in those nations where prostitution is illegal and, simultaneously, increase 
the knowledge of prospective customers to negotiate with workers across vari- 
ous environments (Holt et al., 2013; Scott & Dedel, 2006). 


The Clients of Sex Workers 


The emergence of online communities that enable information sharing among 
the clients of sex workers has changed the process of soliciting sex workers. The 
development of online communities allowed individuals to discuss their pref- 
erences and experiences with no fear of rejection or embarrassment. In fact, 


research by Blevins and Holt (2009) found that there is now a subculture of 


clients in the US operating in a series of web forums that is guided by their 
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preferences and interests. This subculture places significant value on the notion 
that paid sexual encounters are normal and non-deviant. In fact, those who 
visited sex workers placed significant value on their experiences and knowledge 
of the sex trade. As a result, they would not refer to themselves as “johns” or 
“tricks,” as they are known in popular culture (Scott & Dedel, 2006). Instead, 
forum users avoided such derogatory terms in favor of terms like “monger” or 
“hobbyist” to recognize that they are interested in paid sexual encounters and 
enjoy the experience. Individuals who posted great detail about their experi- 
ences with sex workers were often viewed as senior members. As a result, those 
who were unfamiliar with the sex trade can ask for assistance from more senior 
or experienced members in the forum to gain information. 

Additionally, the customers of prostitutes viewed sex and sex workers as a 
commodity, in that encounters cannot occur without payment. Thus, johns 
regularly referred to sex workers on the basis of where they worked, whether 
in streets, strip clubs, or advertised online using abbreviations such as street- 
walker or SW to indicate the worker is a street-walking prostitute. Similarly, 
forum users would include terms to describe the build and appearance of sex 
workers that objectify them in some fashion. In particular, forum users typically 
discussed the mileage of a sex worker, referring to their appearance and how 
it had degraded over time in the sex trade. The notion of mileage is most often 
used in reference to cars, motorcycles, and vehicles, suggesting that customers of 
sex workers view the providers, first and foremost, as a commodity rather than 
a person. In addition, the participants in prostitution forums focused heavily on 
the costs associated with various sexual acts and the negotiation process between 
the client and provider (see Box 7.4 for more detail on the actual thoughts of 
a hobbyist). 

Finally, the subculture of client-centered prostitution forums focuses on sex- 
uality and the way that sex is experienced. Many of the posts in these forums 
were dedicated to depicting the types of sex acts and services that certain pros- 
titutes would provide in very graphic detail. The users commonly discussed the 
acts that providers would offer and whether or not they used condoms. There 
was also some discussion of the quality of the experience, as prostitutes who 
could make the experience feel like a consensual relationship with no money 
involved were said to provide girlfriend experience, or GFE (Blevins & Holt, 
2009; Milrod & Monto, 2012; Sharp & Earle, 2003; Soothill & Sanders, 2005). 
Since there was no way to guarantee that the experience of one user would be 
consistent with others, some would use the term your mileage may vary 
(YMMV) in reference to the variation in encounters. 
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Box 7.4 The Opinions of a Hobbyist in Canada 


We Spoke to a Sex Industry Hobbyist, the Worst Kind 
of John 


https://www.vice.com/en_ca/article/ we-spoke-a-sex-industry- 
hobbyist-the-worst-kind-of-john 


I have been using the boards for about eight years. I use the review 
boards for one reason: to find out if there are any new girls in the 
hobby. Cheap whores you can find anywhere; in bars, massage par- 
lours, strip clubs. But new girls, that still have a bit of authenticity to 


them, are rarer. 


This article provides a unique interview with a frequent customer of sex 
workers who participates in multiple online forums to learn about the trade. 
His perspective validates some of the findings from researchers regarding 


the values and beliefs of the clients of sex workers in online communities. 


Dealing with Obscenity and Pornography Online 
Existing Legislation 


The way that obscenity is defined varies by place and is heavily dependent on 
prevailing social standards. In the United States, legal definitions of obscenity 
have evolved over time through cases reviewed by the Supreme Court. In fact, 
the case of Miller v. California in 1973 established the definition of obscene 
content that is still in use today (US Department of Justice, 2020). A work can 
be deemed obscene and, therefore, not protected by the First Amendment right 


to free speech, if it meets one of these three criteria: 


1 an average person who is capable of applying contemporary adult community 
standards finds that material appeals to prurient interests, defined as “‘an erotic, 
lascivious, abnormal, unhealthy, degrading, shameful, or morbid interest in 
nudity, sex, or excretion;” 

2 an average person applying contemporary adult community standards deter- 
mines that a work depicts or describes sexual conduct in a patently offen- 
sive way, defined as “ultimate sexual acts, normal or perverted, actual or 
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simulated, masturbation, excretory functions, lewd exhibition of the genitals, 
or sado-masochistic sexual abuse;” and 

3 lacks serious literary, artistic, political, or scientific value (US Department of 
Justice, 2020). 


This decision provides each community and state with the flexibility neces- 
sary to define what constitutes indecent or obscene materials (Tuman, 2003). 
In addition, it identified that there are differences between minors and 
adults, which require youth to be protected from obscene content. Because 
the government has the responsibility to protect youth from harmful or 
obscene content, the standard for what constitutes obscenity for minors is 
lower than that for adults. The three-pronged Miller standard still applies, 
though in the context of standards for “minors,” harmful materials constitute 
“any communication consisting of nudity, sex, or excretion” (US Depart- 
ment of Justice, 2020). 

A number of federal statutes are present concerning obscene content. Under 
Title 18 U.S.C. 1460-1470, it is a crime to: 


1 possess obscene material with the intent to distribute those materials on Fed- 
eral property, 

2 import or transport obscene materials across borders, 

3 distribute or receive obscene material through a common carrier in interstate 
commerce, including postal mail, private carriers, or computer and Internet 
based services, 

4 broadcast obscene, profane, or indecent language via television, radio, or 
cable and subscription television services, 

5 knowingly produce, transport or engage in the sale of obscene, lewd, or filthy 
material through interstate commerce, and 


6 transfer obscene materials to minors. 


The punishments for these offenses vary based on the severity of the offense (US 
Department of Justice, 2020). Possession with intent to distribute obscene mate- 
rials on federal property and broadcasting obscene content can lead to a fine 
and/or a two-year prison sentence. All other offenses, with the exception of 
transferring obscene content to minors, can be punishable by a five-year prison 
sentence, a fine, or both (see Box 7.5 for a review of some of the obscenity 
cases prosecuted over the last two decades). Individuals who are found guilty of 
transferring obscene content to minors can receive a prison sentence of up to 


ten years and/or a fine (US Department of Justice, 2020). 
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Box 7.5 The Vagaries of Prosecuting Obscene 
Content Online 


Why Can You Go to Prison for Making Scat Porn? 


https://www.vice.com/en_au/article/why-is-the-guy-who-made-2- 


girls-one-cup-going-to-jail 


Ira Isaacs was in the same business as the creator of 2 Girls 1 Cup, and 
as a result, he’s been sentenced to 48 months in jail for “producing and 


selling obscene videos and distributing obscene videos. 


This article provides a plain spoken review of the range of pornography 
creators and distributors who have been prosecuted in the United States 
for making obscene content available online. It gives the reader a clear 
understanding of the situations and circumstances that are likely to lead to 
federal charges against pornographers. 


It should be noted that there have been several attempts to legislate obscene 
content hosted online in the United States. Various Acts have been passed, such 
as the Child Online Protection Act (COPA), though they were eventually 
overturned by the court system on the basis that they limit the potential for free 
speech (Brenner, 2011). Perhaps the most important of these laws was made 
to the Communications Decency Act of 1996 (CDA), which regulated 
online indecent content, specifically pornography and other obscene materials. 
The language of the act criminalized the use of computer services to send or 
display content to anyone under the age of 18 that included “any comment, 
request, suggestion, proposal, image, or other communication that, in context, 
depicts or describes, in terms patently offensive as measured by contemporary 
community standards, sexual or excretory activities, or organs” (Brenner, 2011). 

The broad scope of this language led the law to be overturned on the basis it 
limited all people’s right to free speech, though one section of the law remained 
in place: Section 230 (Brenner, 2011). This section was actually an amendment 
to The Communications Act of 1934 which was created to limit and regulate 
the transmission of obscene content over the radio and television. Language was 
added to regulate online spaces via the CDA to create a degree of responsibil- 


ity to content creators via web sites, service providers, and ISPs to minimize 


the exposure of obscene content through their platforms (Brenner, 2011). This 
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legislation also added a key provision that limited the legal liability of online 
service providers, Internet Service Providers, and users on the basis of third- 
party generated content. Known as a Good Samaritan provision, it states “No 
provider or user of an interactive computer service shall be treated as the pub- 
lisher or speaker of any information provided by another information content 
provider.” As an example, YouTube is not responsible if obscene content is 
generated and uploaded to their site, as they simply host videos. This language 
provides ISPs and web sites with substantive protection from legal and civil 
actions (Brenner, 2011), though this provision was recently edited which is 
discussed later in this section. 

In addition, the US criminalized the use of misleading domain names in 
order to draw Internet users to websites hosting sexually explicit or obscene 
content under the Truth in Domain Names Act of 2003 (Brenner, 2011). 
One of the first individuals arrested under this law operated a range of websites 
using domain names that were misspelled versions of popular artists and intellec- 
tual property for kids. For instance, his site www.dinseyland.com featured hard- 
core pornography and was a direct misspelling of the legitimate website www. 
disneyland.com (CNN, 2003). The operator of the site can be imprisoned for 
up to two years (or up to four if the domain name was selected to intentionally 
attract minors to the site) and may be fined up to $250,000. 

To demonstrate the variation in what is defined as obscene, the Obscene 
Publications Act (OPA) of 1959 for England and Wales indicates any arti- 
cle may be obscene if its effect on the audience member who reads, views, 
or hears it is to “deprave and corrupt” (Crown Prosecution Service, 2019). 
The decision regarding what is obscene is to be determined by a jury without 
the assistance of an expert, which to a certain degree mirrors the US concept 
of community standards in establishing obscenity (Crown Prosecution Service, 
2019). The law does specify that most depictions of sexual intercourse or fetish 
activities that are consensual are unsuitable for consideration as obscene, though 
more serious depictions of rape, torture, bondage, degrading sexual acts such as 
the consumption of excretion, and sex with animals are appropriate for pros- 
ecution (Crown Prosecution Service, 2019). This includes video, audio, and 
photographic images in physical print, such as magazines and DVDs, as well as 
content distributed over the Internet. 

Individuals who publish or sell obscene articles for economic gain and are found 
guilty of violating this act can be fined and imprisoned for between three and five 
years, as a result of a recent enhancement of sentences through the Criminal Jus- 
tice and Immigration Act 2008 (Crown Prosecution Service, 2019). This act 
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also criminalized the possession of extreme pornography, defined as materials 
produced for the purpose of sexual arousal which depict acts that “threaten a per- 
son’s life; acts which result in or are likely to result in serious injury to a person’s 
anus, breasts or genitals; bestiality; or necrophilia” (Crown Prosecution Service, 
2019). For instance, acts involving the insertion of sharp instruments (such as 
blades or needles) mutilation and cutting, choking, or serious blows to the head 
or body are all potentially illegal under this new law. This legislation also allows 
individuals who possess extreme pornography that threatens a person’s life or leads 
to serious injury to be fined or imprisoned for up to three years, while all other 
images, such as bestiality, can lead to a maximum sentence of two years in prison 
(Crown Prosecution Service, 2019). 

An additional set of laws were passed and implemented in 2001, requiring 
the implementation of filtering and security protocols to protect youth. The 
Children’s Internet Protection Act (CIPA), which covers all schools that 
teach students from kindergarten through 12th grade, and the Neighborhood 
Children’s Internet Protection Act (NCIPA) which encompasses public 
libraries, require Internet filters in these locations that block young people 
from accessing harmful content, including pornographic and obscene materials 
(Federal Communications Commission, 2013). Also, the law requires that a 
“technology protection measure” must be implemented on every computer 
within the facility that is connected to the Internet, and each institution must 
adopt and implement an Internet safety policy addressing most forms of cyber- 
crime (Federal Communications Commission, 2013). In the event that such 
filters are not put in place, the school or library may lose certain federal fund- 
ing and grants. 

As for the sending of sexual content by individuals using mobile technology 
and digital photography, teenage sexting is illegal in all 50 states within the 
United States (O’Connor et al., 2017). Half of US states (26 states) and Wash- 
ington DC have specifically criminalized the act of someone sending sexual 
images of themselves to minors (Hinduja & Patchin, 2019). In the other states, 
child pornography statutes are used to prosecute teenage sexting cases (O’Con- 
nor et al., 2017). Interestingly, only nine states specifically use the phrase sexting 
in the language of their statutes. The criminal penalties associated with sexting 
range from community service and minor misdemeanors to felonies and being 
required to register as a sex offender, depending on whether the offender is 
convicted under a sexting or child pornography statute (O’Connor et al., 2017). 

Sexting laws were intended to protect minors from adults sending sex- 
ually explicit content, not from teens sending images to other teens. Some 
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critics, however, argue they unfairly stigmatize youth for engaging in sexual 
behaviors that have become a somewhat normal feature of sexual relation- 
ships in the modern age. This may explain why there is no federal legislation 
to date involving sexting behaviors in the United States and in most other 
Western nations. 

Much like sexting, the distribution of sexual images without permission 
from its creator presents a unique challenge for lawmakers. On one side, indi- 
viduals argue that if a person creates the content herself or himself (but normally 
herself) and sends it to others, s/he loses ownership of those images and control 
of whether or where those images are posted. Others argue that it is a violation 
of trust and that the lack of consent from the person who took the image should 
keep the content from being posted elsewhere. There has been substantive pub- 
lic outcry over the need for criminal and civil remedies to combat this activity 
in nations across the globe. 

Forty-eight states and the District of Columbia have developed laws crimi- 
nalizing the nonconsensual disclosure of sexual images or content (Cyber Civil 
Rights Initiative, 2021). Some states, like Utah, have made the release of images 
a misdemeanor, while others such as Arizona have made it a felony. Addition- 
ally, some states have created civil statutes allowing victims to sue the individual 
involved in the release or threat to release content for damages, legal costs, and 
related fees. 

The United States does not have a federal statute criminalizing IBSA. The 
House of Representatives in early 2021 passed the Stopping Harmful Image 
Exploitation and Limiting Distribution Act of 2021 (the SHIELD Act) as an amend- 
ment to H.R. 1620, the Violence Against Women Reauthorization Act of 
2021. The SHIELD Act would allow the Department of Justice to prosecute 
individuals who distributed private, sexually explicit images or nude images of 
individuals without their consent and who had expectations that the images 
would remain private. The offender could be punished with up to two years in 
prison for each person’s images that are distributed. At the time of the writing 
of this textbook in early-2021, the US Senate had not yet voted on reauthoriz- 
ing the Violence Against Women Act, including the SHIELD Act Amendment 
(Robertson, 2021). 


For more information on image-based sexual abuse legislation 
in the United States, go online to: https://www.cybercivilrights.org/ 


revenge-porn-laws/ 


Pornography, IBSA, and Prostitution 


Several nations have criminalized posting sexual content without the author- 
ization of the creator. For instance, France has made it illegal for a person to 
transmit the picture of a person who is within a private place without their 
consent (Clarke-Billings, 2016). Canada and the United Kingdom have similar 
legislation, though the United Kingdom added language that the sender must 
have an intent to cause distress to the individual featured in the content. In the 
United Kingdom, individuals found guilty could be imprisoned for up to two 
years and face a fine. India’s Information Technology Act 2000 also criminalizes 
capturing, transmitting, or publishing images of a person’s private parts without 
their consent or knowledge. Violating this statute is punishable by up to three 
years in prison or a fine of up to 200,000 rupees. Israel may have the most severe 
sanctions associated with IBSA, as the offender can be classified as a sex offender 
and be subject to up to five years in prison (Clarke-Billings, 2016). 

It is important to note that many nations have laws pertaining to prostitu- 
tion at both the local and federal level. The sale of sex has been criminalized, 
though the extent to which it is enforced is highly inconsistent. Several South- 
east Asian nations (e.g., Malaysia, the Philippines, and Thailand) do not strictly 
regulate prostitution, making them an ideal locale for individuals interested in 
sex tourism, particularly for sexual encounters with minors (Nair, 2008). Addi- 
tionally, few nations have language in their criminal codes regarding the use of 
technology in order to acquire or solicit sexual services. As a result, Western 
nations have criminalized the act of sex tourism (Nair, 2008). For instance, the 
US federal criminal code (18 USC § 2423(c)) criminalizes the act of traveling to 
a foreign country to engage in paid sexual encounters with minors. This is true 
even if the activity is legal in the country where the act took place (Nair, 2008). 
Individuals found guilty under this statute can be fined and imprisoned for up 
to 30 years. Additionally, many Western nations have criminalized the act of 
paying for sex with minors in order to protect youth from commercial sexual 
exploitation (Brenner, 2011). 

The United States also passed somewhat controversial laws designed to curb 
sex trafficking on and offline in 2018. The Stop Enabling Sex Traffickers 
Act (SESTA) and Allow States and Victims to Fight Online Sex Traf- 
ficking Act (FOSTA) were designed to make it illegal to knowingly assist, 
support, or facilitate sex trafficking, and specifically amended a key part of the 
CDA (Romano, 2018). The language of FOSTA changed section 230 of this 
CDA, making it possible for law enforcement actions to be taken against web 


sites and online service providers who are used in some way to facilitate sex traf- 


ficking and sexual exploitation of children (Romano, 2018). The clarification 
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did not eliminate this content from the web and rather appears to have moved 
many websites to be hosted in other countries so as to minimize legal exposure 


to site owners and users. 


Self-Regulation by the Pornography Industry 


Though most every other thematic chapter ends with a discussion of the law 
enforcement agencies responsible for dealing with investigating violations of 
existing statutes, this chapter will differ due to the overlapping duties of agencies 
regarding the crimes discussed in the next chapter. To avoid redundancy, this 
chapter will focus instead on the role of industry in regulating and policing the 
presence of obscene content online. 

Currently, pornography producers are encouraged but not legally mandated 
to avoid exposing individuals under the age of 18 to obscene content. Prior laws 
that were specifically designed to minimize the likelihood that minors could 
access pornography have been overturned in the United States due to concerns 
over their effect on free speech nights (Procida & Simon, 2003). As a result, 
there are a range of techniques that pornographic websites hosted in the United 
States use to reduce the likelihood that young people access their content. In the 
1990s and early 2000s, a number of websites worked with Age Verification 
Services (AVS), which would, upon entry into the website, verify the age of 
an individual via a valid credit card or driver’s license (Procida & Simon, 2003). 

These services waned in popularity with changes in legislation and the 
increased availability of pornographic content via YouTube-style video sharing 
sites. Individuals no longer needed to pay to access pornographic content, as 
both users of content and producers began to see the popularity of video shar- 
ing sites that offered such media free of charge. Instead, many pornographic 
websites began to provide a warning page that pops up on screen prior to 
entering the actual website that requires individuals to certify that they are over 
the age of 18 and, therefore, legally able to access pornographic content and 
that they will not hold the site responsible for obscene content. There has been 
no legal ruling by federal courts as to whether this constitutes an acceptable 
attempt to keep minors from viewing pornography. In addition, a number of 
adult websites will also provide links at the bottom of the pop-up page to var- 
ious parental monitoring software programs in order to encourage safe surfing 
habits for youth. 

The technology and pornography industries have also found ways to 


improve their responses to the increasingly common problem of IBSA. For 
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instance, the search engine Google will now remove images and videos that 
were posted without the creator’s consent if they are identified via their search 
results (Lee, 2015). Victims must contact the company, but they are responsive 
to requests and will take down the content largely claiming that the site is in 
violation of the Digital Millennium Copyright Act laws governing intellectual 
property (see Chapter 5 regarding digital piracy laws; Lee, 2015). The Federal 
Trade Commission (see Chapter 6) also notes the importance of contacting 
service providers to assist in the takedown of content and has recently taken 
civil actions against websites hosting revenge porn to help minimize its spread 
(Leach, 2018). The major social media sites also honor requests to remove con- 
tent, as do a number of porn sites that allow users to upload content. This step 
has been lauded by some as a positive move by the industry to police itself from 
illegal content, though it does not keep people from reposting illicit content on 


their own. 


For more discussion on the steps social media services like Face- 
book are taking to combat image-based sexual abuse, see: https:// 


www.nbcnews.com/tech/social-media/inside-facebook-s-efforts-stop- 
revenge-porn-it-spreads-n1083631 


A final development in the way in which adult content is hosted online is 
the development of the .xxx domain (Matyszczyk, 2012). The creation of this 
top-level domain, similar to .com, .net, and .edu websites, provides a voluntary 
option for individuals to host pornographic content online. This domain was 
approved in March 2011 and implemented in April 2011 by the Internet Cor- 
poration for Assigned Names and Numbers (ICANN), which is respon- 
sible for the coordination and stability of the Internet over time. It was thought 
that the use of a .xxx domain would enable parents and agencies to filter con- 
tent with ease, though some were concerned that these sites could be blocked 
entirely, thereby limiting individuals’ rights to free speech (Matyszczyk, 2012). 

In 2012, there were 215,835 .xxx domains currently registered, though 
only 132,859 of these sites were actually adult oriented (Matyszczyk, 2012). 
A majority of the domains were registered by businesses and industries who 
did not want their brand or product associated with a pornographic website. 
At the advent of the creation of .xxx domains, it was not clear how these new 


spaces would be used or to what extent individuals were interested in actually 
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visiting .xxx spaces relative to those in the .com or .net space (Matyszczyk, 2012). 
Today, it appears that xxx domains less common than they were a decade ago. 
As of early 2021, there appears to be only approximately 90,000 .xxx domains 
associated with 2,000 unique IPs and 49,000 active websites (Zonefiles, 2021). 


Summary 


Taken as a whole, it is clear that any new technology that is made available to 
the general public will be incorporated into the pursuit of sexual encounters in 
some way. The extent to which that activity will lead to legal troubles varies, 
based on who is being affected and how. For instance, many nations may not 
take issue with the production of sexually explicit material featuring consenting 
adults, so long as it does not involve activities that push boundaries of taste or 
social standards. However, the use of technology to potentially embarrass or 
shame another who was featured in sexual content may be pursued. The con- 
stantly evolving state of technology, and its influence on social norms, makes it 
extremely difficult to develop laws related to its misuse in sexual situations. As 
a result, there is a need for constant inquiry into the nature of sexual offenses in 
online and offline environments to improve and adapt the criminal code to new 
offenses. Likewise, law enforcement must understand offender behaviors and 
enable successful prosecution of these cases. 
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Neighborhood Children’s Internet Protection Act (NCIPA) 
Obscene Publications Act (OPA) of 1857 
Obscene Publications Act (OPA) of 1959 
Obscenity 
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Prostitution 

Revenge porn 

Rule 34 
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Stop Enabling Sex Traffickers Act (SESTA) 
Street prostitution 

Streetwalker (SW) 

Tricks 

Truth in Domain Names Act of 2003 
Video cassette 

Video cassette recorders (VCRs) 

Wifey and Hubby 

Your mileage may vary (YMMV) 


Discussion Questions 


1. How do you use your computer, tablet, and/or smartphone for dating 
and romantic assistance? Do you think that the use of technology makes 
it easier or harder for people to meet others? 
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2. How could the development of the Internet and CMCs help reduce the 
risk of harm for individuals interested in the sex trade? In what ways does 
the ability to communicate about sex workers and review their services 
make it a less dangerous activity? 


iS) 


. Do you think it is appropriate to punish individuals who engage in sex- 
ting? What about individuals who post sexual images they receive from 
romantic partners online without the permission of the creator? Why or 


why not? 
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Chapter Goals 


e Define the terms child pornography and child sexual exploitation (CSE) 
material and how it differs from adult pornography 

¢ Understand the various ways technology may be used to facilitate CSE 
offenses 

e Recognize the clinical definition of pedophilia and its relationship to 
child sex crimes 

e¢ Understand the various typologies used to classify child pornography 
and abuse activities 

e Know the laws pertaining to CSE 

e Recognize the agencies responsible for the investigation of child sexual 
abuse material offenses around the world 


Introduction 


As noted in Chapter 7, the rise of the Internet has had a substantial impact 
on the production of sexually explicit material and pornography. People can 
access content focusing on virtually any single element of an individual’s sex- 
ual identity, from skin color to height to a performer’s age. A segment of the 
population has always expressed an interest in and sexual attraction toward 
young people (see Green, 2002). Within adult pornography, there is a history 
of publications and materials focusing on “barely legal” men and women who 
have just reached the age of 18. Young celebrities have also become increas- 
ingly sexualized, as with Brittney Spears and Jessica Simpson during the 1990s, 
Paris Hilton in the 2000s, and their current contemporaries Selena Gomez and 
Kylie Jenner. 

While such content may appeal to the majority of individuals with an 
interest in young men and women, there is a smaller segment of the general 
population whose interests extend to those who are much younger than 18. 
Though it is unknown what proportion of the population may be attracted to 
individuals who are under age, there is historical evidence that sexual relation- 
ships between adults and children were considered perfectly acceptable, such 
as in ancient Greece and feudal Japan (Green, 2002; O’Donnell & Milner, 
2007). Throughout the majority of the last century, individuals could find 
print publications and films featuring children engaging in sexual poses and 
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even penetrative intercourse with adults in various countries around the world 
up until the early 1980s (Tate, 1990). For instance, the United States only 
criminalized the production and commercial dissemination of sexual images 
of children in 1977. 

The stigmatization of individuals who were attracted to children led to 
the formation of advocacy groups who wanted to eliminate any laws related 
to the age of consent to engage in sexual acts. One of the more notable 
of these groups was formed in 1978 and called itself the North Ameri- 
can Man-Boy Love Association, or NAMBLA. The individuals who 
founded the group argued it is implausible that anyone under a certain age 
cannot understand or truly express their desire for an emotional or romantic 
relationship (Pearl, 2016). Similar groups could be found across the globe, 
such as the Australian Man/Boy Love Association and Vereniging Martijn 
in the Netherlands. 

Many of these groups eventually disbanded either because of law enforce- 
ment crackdowns or social pressure, but their general ideas persisted due in 
part to the connective power of the Internet and computers. Despite the crim- 
inalization of pornographic content featuring children in some, but not all 
countries, anyone who is attracted to young people can find others who share 
their interests online (International Centre for Missing and Exploited Chil- 
dren, 2020a). The Internet became a hub for the distribution of sexual images 
of children, and public anxiety grew over the potential that children could 
be solicited online to engage in sexual acts in the real world. This issue was 
exemplified by the popularity of the show To Catch a Predator, where 
undercover police would pose as an underage girl in various chat rooms online 
and engage in conversations with individuals who wanted to have sex with 
them. Eventually, the “girl” would invite the person they chatted with to their 
home under the pretense of a physical meetup, only to be met by the show’s 
host, Chris Hansen, and police officers to arrest the individual (see Box 8.1 for 
additional detail). 

This chapter elaborates on both the role of the technology in the crea- 
tion, distribution, and access to sexual content featuring children, as well as the 
nature of the communities that support or justify sexual attractions to young 
people. This chapter provides an overview of the ways that pornography 
featuring adults differs from that of children, as well as the various ways that 
individuals use child sexual exploitation material (CSEM) for not only 


personal use but to assist in developing sexual relationships with children 


online or offline. We also examine the laws used to prosecute CSE, and 
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Box 8.1. The Practices of To Catch a Predator 
They’re Still Showing Up 


http:// www.nbcnews.com/id/14824427/ns/dateline_nbc/t/theyre-still- 
showing/#.UAUeSF2zm94 


But his journey didn’t begin that day—it began more than a week 
earlier when he entered a Yahoo Georgia chat room and decided to 
hit on a decoy, an adult posing as a 15-year-old. It didn’t take long 
for the 23-year-old, screenname “scoobydooat101”, to steer the chat 


towards sex. 


This article, written by Chris Hansen who was the host of To Catch a Pred- 
ator, explains how the show was able to identify and draw in individuals 
who were interested in sexual relationships with young people. Readers 
will understand a bit more about the motivations of individuals who came 
into contact with the show’s undercover operatives and how they worked 


with police to make arrests. 


the organizations and law enforcement agencies that investigate these crimes 


across the globe. 


Defining and Differentiating Child Pornography 
and CSEM from Obscene Content 


As noted in Chapter 7, the Internet and digital media played a pivotal role in 
the production of pornography featuring consenting adults and created con- 
troversy around the ease of access to lewd or obscene content. This discus- 
sion pales in comparison to the social panic surrounding the availability and 
distribution of pornographic content featuring children via the Web (Lynch, 
2002; Quinn et al., 2004). Child pornography is defined as the depicting 
of “the sexual or sexualized physical abuse of children under 16 years of 
age or who appear to be less than 16 that would offend a reasonable adult” 
(Krone, 2004, p. 1). Content can include both video and still photos, and in 
some countries, content featuring computer-generated or simulated depic- 


tions of children. 
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The fact that children are the focus of the sexual nature of these images, as 
both the subject of the work and a participant in the acts, makes this content 
different from traditional obscene content outlined in Chapter 7. Though both 
forms of content may involve expressions of sexuality, they differ in the ways 
that participants come to engage in the acts depicted. For instance, participants 
in obscene images and pornography largely give their consent to engage in 
sexual acts and be photographed or videotaped doing so. Individuals under the 
age of 16 are unable to fully understand the implications of their actions, par- 
ticularly infants, toddlers, and young children who may not be able to verbally 
communicate. Their naivety and inability to comprehend the nature of any act 
makes children unable to give their consent to engage in sexual acts, particularly 
with adults. 

An additional difference lies in the fact that obscene content featuring adults 
is often produced with compensation provided to the participants. An adult par- 
ticipant may have circumstances that force them to engage in such acts, whether 
serious debt or personal hardships, but they receive some sort of benefit for their 
efforts. In addition, an adult will subvert the trust children have in order to force 
or convince them to engage in an act. When an adult, who is seen as a protector 
or mentor, manipulates a minor’s trust in this manner, the loss of boundaries 
leads to psychological harm for the child (see Sinanan, 2015). For instance, some 
may attempt to convince a child that sexual acts with adults are perfectly natural 
in order to assuage concerns that they are doing something wrong. Some may 
prey upon fear, and tell children that they will tell their parents and get them 
in trouble for whatever activity they have engaged in. Others may simply force 
the child to engage in an act against their will. Overall, the production of child 
pornography results in both psychological and physical trauma to the victims. 

These factors make the production and consumption of child pornography 
a particularly heinous crime unlike the production of obscene or pornographic 
content. Thus, while child pornography is the legal definition/term, there is 
a movement to redefine “child pornography” as the current term relates too 
closely to traditional forms of adult pornography which imply consent. The dif- 
ferences that underlie these materials have led some agencies to encourage the 
use of different terms to refer to images of children engaging in sexual acts. The 
preferred terminology that adequately reflects the horrendous nature of this 
crime are CSEM, child sexual abuse material (CSAM), and child sexual 
abuse imagery (CSAI; see Seigfried-Spellar & Soldino, 2019). These terms 
generally refer to any sexually explicit image or video of a minor (Stroebel & 
Jeleniewski, 2015). 
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CSE is a form of child sexual abuse that includes a wide-range of offenses. 
According to the Department for Education (2017), CSE: 


occurs when an individual or group takes advantage of an imbalance of power 
to coerce, manipulate or deceive a child or young person under the age of 18 
into sexual activity (a) in exchange for something the victim needs or wants, 
and/or (b) for the financial advantage or increased status of the perpetrator 
or facilitator (p. 5). 


Examples of CSE include, but are not limited to, child sex trafficking, child sex 
tourism, sextortion, online enticement, child sexual solicitation, and CSEM. 

Interpol and Europol use the term CSAM to refer to what is otherwise 
considered child pornography on the basis that since children are unable to give 
consent, and are being harmed physically and emotionally, the phrase pornog- 
raphy is reductive and unfair to the victims. The inclusion of the words “sexual 
abuse” clearly recognizes the harm and severity of the nature of the crimes 
depicted in images and videos and is essential to protect victims from further 
harm (Interpol, 2017). 

It must be noted that child pornography is a legal definition that extends 
to certain images focusing on sexual acts or sexualized images of children. 
Individuals who actively seek out sexual images of children frequently access 
content that exists on a similar continuum of obscene content featuring adults. 
This was demonstrated through the development of the COPINE (Combat- 
ting Paedophile Information Networks in Europe) Scale to categorize 
sexual content on the basis of the harm involved in erotica and pornographic 
content involving children (Taylor et al., 2001). Initially, researchers devel- 
oped this scale as a tool to assist in the delivery of therapeutic treatment, as 
there may be different cognitive therapies to employ based on the nature of 
the images an individual actively obtained. The model was eventually adapted 
as a tool for researchers and law enforcement to classify content on a scale 
from 1 to 10, with 1 being the least severe and 10 being the most severe 
(see Box 8.2 for detail; Taylor et al., 2001). The COPINE scale categories 
were created after analyzing collections of child pornography images found on 
offender computers. 

Images that fall in the first three categories of the COPINE scale are gen- 
erally nonsexual and can include images of children swimming, changing 
clothes, or in various states of undress (Taylor et al., 2001). Such content 
could be produced surreptitiously by an offender, or acquired from parents, 
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Box 8.2 The 10-Point COPINE Scale 


Level — 1 

Type — Indicative 

Description — Nonerotic and non-sexualized pictures showing children in 
their underwear, swimming costumes from either commercial sources or fam- 
ily albums. Pictures of children playing in normal settings, in which the con- 


text or organization of pictures by the collector indicates inappropriateness. 


Level — 2 
Type — Nudist 
Description — Pictures of naked or semi-naked children in appropriate 


nudist settings, and from legitimate sources. 


Level = 3 

Type — Erotica 

Description — Surreptitiously taken photographs of children in play areas 
or other safe environments showing either underwear or varying degrees 


of nakedness. 


Level — 4 

Type — Posing 

Description — Deliberately posed pictures of children fully clothed, par- 
tially clothed, or naked (where the amount, context, and organization 
suggest sexual interest). 


Level —5 
Type — Erotic posing 
Description — Deliberately posed pictures of fully, partially clothed, or 


naked children in sexualized or provocative poses. 


Level — 6 

Type — Explicit erotic posing 

Description — Pictures emphasizing genital areas, where the child is either 
naked, partially clothed, or fully clothed. 


Lewell = 7 

Type — Explicit sexual activity 

Description — Pictures that depict touching, mutual and self-masturbation, 
oral sex, and intercourse by a child, not involving an adult. 


293 


Child Sexual Exploitation Material Offenses 


294 


Level — 8 

Type — Assault 

Description — Pictures of children being subject to a sexual assault, involv- 
ing digital touching, involving an adult. 


Level — 9 
Type — Gross assault 
Description — Grossly obscene pictures of sexual assault, involving pene- 


trative sex, masturbation, or oral sex, involving an adult. 


Level — 10 

Type — Sadistic/bestiality 

1 Pictures showing a child being tied, bound, beaten, whipped, or other- 
wise subject to something that implies pain. 


2 Pictures where an animal is involved in some form of sexual behavior 


with a child. 


friends, family members, print media, advertisements, as well as social media 
sites online. Content that meets the legal definition for child pornography 
begins in category 4 and focuses more on sexual acts or sexualized images 
featuring children, including sexualized poses or masturbation (Taylor et al., 
2001). The content that we may consider as the most extreme begins in cate- 
gory 8 and features overt sexual acts involving adults, other children, or even 
animals. This content also includes children being violently raped, abused, or 
tortured in a sexual fashion. 

Though it may seem unconscionable to view such images, let alone create 
them, there is a demand for this content within the community of CSEM 
offenders (Seigfried-Spellar, 2013). In fact, a large-scale analysis of a histori- 
cal collection of images of CSE supports the notion that more aggressive and 
hurtful content has been produced over time (NCMEC & Thorn Research 
Report, 2018). Similarly, a recent takedown of a group called The Dream- 
board operated a forum where individuals could view and share images of 
child sexual abuse that was categorized by the nature of the content. The 
most depraved content on the site was listed under the title “Super Hardcore” 
and featured images of adults engaging in sexual acts which clearly caused 
the victims physical and emotional distress (see Box 8.3 for more on the efforts 


to eliminate this group). 
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Box 8.3. Detail on Operation Delego 


Attorney General and DHS Secretary Announce Largest US 
Prosecution of International Criminal Network Organized 
to Sexually Exploit Children 


www.justice.gov/opa/pr/2011/August/11-ag-1001.html 


The board rules also required members to organize postings based on 
the type of content. One particular category was entitled “Super Hard- 
core’... involving adults having violent sexual intercourse with “very 
young kids”... “in distress, and or crying.” 


This press release details a massive investigation of an international child 
pornography distribution network operating online called The Dream- 
board. Individuals participated in this community from around the world 
and were required to post content in order to remain active users. The 
scope of this group, the harm they caused, and the extent of content 
hosed demonstrate the variety of content that can be classified as child 


pornography. 


The Role of Technology in Child Sexual 
Exploitation Material 


While CSEM existed well before the creation of the Internet, the globaliza- 
tion of technology has created an environment where Internet CSEM is read- 
ily available, accessible, and affordable, if not entirely free-of-charge (Cooper, 
1998). In essence, viewing CSEM is an easy crime to commit and an easier 
crime to get away with. It is difficult to assess the total amount of CSEM that 
may be available at any given time online due to the existing laws regarding 
access to this content and the sheer quantity of platforms available for its dis- 
tribution. For instance, there were 70 million images and videos reported to 
federal law enforcement in 2019 alone, with the majority being videos (Dance 
& Keller, 2020). Almost 60 million pieces of content were reported by Face- 
book alone, suggesting social media has become a major platform for the distri- 
bution of content. 

In addition, it appears CSEM is a worldwide problem that allows individuals 


in multiple nations to acquire content from anywhere. The availability of digital 
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photography, webcams, high-speed Internet connections, editing software, and 
removable storage media makes it possible for individuals to create high-quality 
images and videos of deplorable acts of sexual abuse involving children for con- 
sumption around the world. In fact, evidence suggests that India has become 
a hub for CSEM distribution, with estimates suggesting Indian Internet users 
uploading 25,000 images during the last quarter of 2019 and the first quarter of 
2020 alone (Acharjee, 2020). Similarly, the Philippines has become a hotbed of 
CSEM creation and distribution, particularly the livestreaming of abuse (Online 
Sexual Exploitation of Children in the Philippines, 2020). However, the global 
nature of the Internet enables virtually every nation to play a role in the spread 
of content. 

Though social media is increasingly involved in CSEM distribution, a 
substantial proportion of CSEM currently circulating on the Internet still 
flows through peer-to-peer file-sharing programs, including BitTorrent 
(WCSC, 2013). This same software used to distribute pirated media (see 
Chapter 5) is a regular venue for sharing traditional pornographic videos and 
images, as well as images featuring children. Though the same tools are used 
to pirate media as they are to download CSEM, it is unlikely that the average 
person would identify and download CSEM files by accident. Individuals 
actively seeking CSEM use keyword searches that are used to label images, 
videos, and file sets that are distinct from other content (Internet Watch 
Foundation, 2020). 

The growth of various voice over IP (VoIP), video-calling services and 
applications have engendered the growth of services to stream child sexual 
abuse as it happens. The same resources that are used by standard consum- 
ers for interpersonal communication, ranging from Skype to FaceTime to 
Periscope, can now be used to let individuals watch people engage in sexual 
acts with children. Even worse, these services often allow viewers to direct 
the action as it happens, suggesting certain sex acts occur or to comment on 
what they are seeing (see Box 8.4 for example). Many of these streaming 
services appear to originate from and operate out of southeast Asian nations, 
in many cases involving parents and their children rather than some large- 
scale criminal organization (Online Sexual Exploitation of Children in the 
Philippines, 2020). One reason why these streams may have grown is that 
the operators can make individuals pay for access using online payment sys- 
tems or cryptocurrencies. For instance, a woman was arrested in May 2020 
for selling access to livestream video feeds of her three children and their 
cousin (Buan, 2020). The profits made from streaming may enable families 
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Box 8.4 Livestreaming Sexual Abuse Content 


Delco Child Porn Suspect Used Twitch to Lure 50 Boys, 
Police Say 


https://www.nbcphiladelphia.com/news/local/delco-child-porn- 


suspect-used-twitch-to-lure-50-boys-police-say/2404326/ 


A Delaware County child pornography suspect used the popular video 
life streaming service Twitch to get more than 50 underage boys to 


expose themselves, investigators said. 


This article details the arrest of a Pennsylvania man who used the video 
game streaming service Twitch to connect with young boys and get them 
to engage in sexual activities through the application. This story highlights 
the complicated nature of online services targeted toward young audiences 
which could be misused to harm children. 


to gain access to simple comforts and resources they were otherwise not 
able to afford. As a result, it may be difficult to deter the abusers who enable 
these behaviors. 

Social media sites, like Facebook, also serve as a platform for the identifica- 
tion of images of children. Much of this content may be innocuous, featuring 
images of children playing, swimming, or taking baths. Such images could be 
acquired easily from friends, family, and associates with children who regularly 
share media. The rise of image-based messaging applications like Snapchat, Ins- 
tagram, and TikTok also creates opportunities for individuals to actively solicit 
images from children as well. Interested individuals can use these applications 
as a platform to target youth based on information provided in their profile, 
and then begin to chat with them. The conversations are intended to build a 
rapport between the adult and child and enable the adult to actively solicit the 
youth to send them images of themselves in various poses and activities (see 
Box 8.5 for an example). Some may even attempt to use their connection to 
eventually meet the child offline so that they may engage in sexual acts with 
them in person. 

There is also a good deal of CSEM hosted on the Dark Web, referencing 


the portion of the Internet operating on the specialized encrypted software 


platform Tor (Cox, 2016). One reason for the increased use of Tor is likely 
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Box 8.5 Understanding Attempts to Solicit Youth 
into Documenting Sexual Acts 


Child Porn Suspect Accused of Convincing 10-Year Old to 
Send Nude Photos on Facebook, Detectives Say 


https://www.fox13news.com/news/child-porn-suspect-accused-of- 


convincing-10-year-old-to-send-nude-photos-on-facebook-detectives-say 


Polk County detectives arrested a 19-year-old man on child pornog- 
raphy charges, saying he manipulated a child into sending him nude 
images. On Tuesday, detectives arrested Simon Anderson. They said 
the Lake Wales man used Facebook to communicate with a 10-year- 
old and admitted that he knew her age. 


This story details the investigation and arrest of a Florida man named for 
soliciting a child via social media into sharing images of themselves engag- 
ing in sexual acts. This report also explains he threatened to kill the victim 
if she did not provide this content, which makes the offense that much 


more heinous. 


due to the difficulty that law enforcement agencies may initially have in iden- 
tifying the location of content hosting services and users. Individuals can only 
access the Dark Web by downloading and using the free Tor browser, which 
anonymizes the IP address and location details of the user (Barratt, 2012). Indi- 
viduals can host any content they want on Tor using homebrew servers oper- 
ating out of their home, which conceals the physical location of the hosting 
site. In addition, Tor-based content is not indexed by Google or other search 
engines making it difficult to quantify the amount of material available online 
(Barratt, 2012). 

As a result, some CSEM sharing communities have shifted to Tor in an 
attempt to conceal their actions from law enforcement. Federal agencies, such 
as the Federal Bureau of Investigation (FBI), however, are taking somewhat 
extreme steps to identify CSEM groups and their participants, including essen- 
tially hacking the Tor infrastructure in order to capture sensitive user infor- 
mation. Such steps may challenge the admissibility of evidence acquired and 
force investigators to be more transparent in how a takedown operation was 
performed (see Box 8.6 for detail). 
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Box 8.6 The Scope of CSAM on the Dark Web 


Feds Take Down the World's “Largest Dark Web Child Porn 
Marketplace” 


https://www.nbcnews.com/news/crime-courts/feds-take-down- 
world-s-largest-dark-web-child-porn-n1066511 


The now-shuttered English-language site, called “Welcome to Video,” 
contained more than 200,000 unique videos or almost 8 terabytes of data 
showing sex acts involving children, toddlers and infants, according to 
the 18-page criminal indictment unsealed here Wednesday, and pro- 
cessed 7,300 Bitcoin transactions worth more than $730,000. 


This article explains the multiagency, international investigation of a 
CSEM site operating on Tor that operated on a fee-for-service basis. 
The operator, Jong Woo Son, lived in South Korea and had participants 
around the world, including a former US law enforcement officer who is 
alleged to have downloaded over 50 hours of content from the site. The 
investigation took multiple years to complete and involved the FBI, the 
IRS, the UK’s National Crime Agency (NCA), and the Korean National 
Police Agency. 


Explorations of the Pedophile Subculture Online 


Computers have clearly become the preferred medium for those individuals 
with a sexual interest in children by allowing them a degree of anonymity and 
minimal fear of social stigma or legal ramifications for disclosing their prefer- 
ences (Alexy et al., 2005; Durkin, 1997; Durkin & Hundersmarck, 2007; Holt 
et al., 2010; Rosenmann & Safir, 2006). These deviant subcultures take part in 
a variety of computer crimes involving children, ranging from using the Inter- 
net as a way to reach out and develop emotional and sexual relationships with 
children (Jenkins, 2001), to the distribution, trading, and production of CS9EM 
(Durkin, 1997; Jenkins, 2001; Quayle & Taylor, 2002; Taylor et al., 2001). 
Individuals interested in relationships with prepubescent or pubescent chil- 
dren may be classified as pedophiles or hebephiles, respectively, according to 
the diagnostic criteria established by the American Psychological Association’s 
Diagnostic and Statistical Manual of Mental Disorders — 5th edition (DSM-5; APA, 
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2013). Specifically, the DSM-5 introduced the concept of pedophilic disorder, 
which is diagnosed using the following criteria: 


1 Over a period of at least 6 months, recurrent, intense sexual arousing fanta- 
sies, sexual urges, or behaviors involving sexual activity with a prepubescent 
child or children (generally age 13 years or younger); 

2 The person has acted on these sexual urges, or the sexual urges or fantasies 
cause marked distress or interpersonal difficulty; and 

3 The person is at least age 16 years and at least five years older than the child 
or children in the first criterion (APA, 2013). 


The individual must demonstrate all three criteria in order to be diagnosed as a 
pedophile in clinical settings. The DSM-5 also subdivides the pedophilia diag- 
nosis into more specific categories: sexually attracted to males, females, or both 
sexes, exclusive (attracted only to children) or nonexclusive (attracted to both 
adults and children), or limited to incest (APA, 2013; O’Donohue et al., 2000). 

The implementation of the term disorder in this edition of the DSM is 
important because it identifies that an individual has acted on their specific 
urges. Such a behavioral criterion was not present in previous editions which 
only identified pedophilia as a clinical paraphilia or condition. The APA was 
criticized for this inclusion criterion as it does not clearly delineate between 
those who have engaged in sexual acts with children and those who have sought 
out CSEM for masturbatory purposes (e.g., Berlin, 2014). This kind of vague 
language is insufficient for what is meant to be a diagnostic tool for clinicians. 

Regardless of clinical classification, individuals who engage in either sexual 
activities with or fantasize about children are considered to be among the most 
hated deviants in society (Durkin, 1997; Durkin & Bryant, 1999; Holt et al., 2010; 
Jenkins, 2001; Rosenmann & Safir, 2006). Adults who show a strong sexual inter- 
est toward children are, therefore, stigmatized by society and retreat to the virtual 
world to express their true feelings since the Internet can offer almost complete ano- 
nymity. Those who share these taboo sexual feelings come together to form what 
is known as the “pedophile subculture” (Jenkins, 2001; Pittaro, 2008). It is here 
where members of the subculture feel they are part of a group that accepts them for 
their sexual interests. In fact, they can gain validation for their sexual beliefs. 

In his 2001 book Beyond Tolerance: Child Pornography On the Internet, Philip Jen- 
kins examined a BBS where individuals exchanged images of CSEM and found 
a subculture where individuals shared beliefs about the value of CSEM and the 
need to exchange these materials and socialized individuals into this activity. Jen- 


kins (2001) wrote, “Joining the subculture marks less an entry into new activities 
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and interest than an escalation of pre-existing behaviors, supported by a new sense 
of community” (p. 106). These are individuals seeking acceptance; the anony- 
mous nature of the Internet offers this. Users expressed fears of being detected by 
law enforcement, political reviews, and even a shared language. Jenkins observed, 
“one is likely to acquire gradually the peculiar language, mores, and thought pat- 
terns of this world and thus be inducted subtly into the subculture” (p. 108). In 
order to keep up with the language and the rapid change of discussion, users must 
visit and participate regularly if they hope to benefit from this subculture. 
Support, justification, and/or rationalization are also common among pedo- 
phile subcultures (Durkin & Bryant, 1999; Holt et al., 2010; Jenkins, 2001; 
Mayer, 1985). Mayer (1985) wrote, “One striking characteristic of the pedo- 
phile is the ability to minimize or rationalize his activities” (p. 21). Most indi- 
viduals belonging to such subcultures see nothing wrong with relationships 
between adults and children; in fact, they see many positive benefits from these 
interactions, such as being a positive role model in a child’s life (Jenkins, 2001). 
They often do not associate themselves with pedophiles or child molesters and 
even condemn these individuals themselves. These individuals justify this type 
of sexual orientation by using the term “child love” to describe what they 
perceive to be a perfectly normal relationship between adult and child, which 
does not always have to involve sexual activity (Holt et al., 2010; Jenkins, 2001). 
Pedophiles will also use neutralization strategies in attempts to normalize their 
type of deviance. For example, they may attempt to deny whether a “victim” 
existed (“denial of the victim”) by rationalizing that the children were asking for 
or wanted sex. They may also use a technique called “denial of injury,” saying 
sexual encounters can be rewarding and even educational for children (Jenkins, 
2001). Some groups have even gone so far as to compare themselves to the 
Jewish population being hunted down by the Nazis in Germany; they believe 
that sexual attraction to children is much more widespread than society cares to 
accept, and by persecuting them, society is preaching hypocrisy (Jenkins, 2001). 
The idea that “child love” is different from being a pedophile in the eyes of 
these individuals is a topic that has more recently been examined by research- 
ers (Holt et al., 2010; Jenkins, 2001). Many members of the CSEM discussion 
boards examined by Jenkins (2001) did not see themselves as pedophiles. In one 
thread, a user identified as “Humbert Humbert” wrote, “Am not a pedo, just 
like the beauty of pre-pubescent/adolescent girls. Therefore, I don’t think I am 
a perv. Just rational minded” (p. 119). They believe that those who actually 


abuse children represent just a small minority of their community and that most 


users are just looking, not acting (Jenkins, 2001). 
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It is hard to determine which members of these communities are or have actu- 
ally been physically (sexually) involved with children, since the majority of users do 
not reveal any illegal behavior that may have occurred for fear of legal ramifications 
(Jenkins, 2001). However, the concept of sharing fantasies, urges, and nonsexual 
interactions with children is seen in most of the pedophile online communities 
(Holt et al., 2010; Jenkins, 2001). While most research and investigations have 
focused on targeting those who possess/trade CSEM and/or child molesters, few 
have considered the members of the online pedophile subculture, who do not con- 
sider themselves pedophiles or child molesters but “child lovers” (Holt et al., 2010). 


Typologies of CSEM Use and Consumption 


Given the substantial concern over the rise of CSEM in online environments, 
researchers have examined characteristics of individuals who consume these 
materials. Although it may be counter-intuitive, Internet CSEM users are not 
necessarily pedophiles (i.e., sexually attracted to children) or child sex offenders 
(i.e., hands-on contact offenders; Babchishin et al., 2011; Klain et al., 2001;). 
Internet CSEM users may be motivated by curiosity, addiction, or financial 
profit rather than a sexual interest in children (Taylor & Quayle, 2003). In addi- 
tion, research indicates that Internet CSEM uses are not more likely to cross 
over into contact offending (see Seto & Eke, 2005; Webb et al., 2007). 

According to Seto et al. (2011) CSEM users (i.e., hands-off or Internet-only 
offenders) are significantly less likely to reoffend and have prior criminal histo- 
ries of contact offenses compared to contact child sex offenders (i.e., hands-on). 
However, research suggests they are more likely to exhibit pedophilic charac- 
teristics compared to contact child sex offenders (Babchishin et al., 2015; Seto 
et al., 2006, 2012). 

Researchers have used various data to further understand the dynamics between 
online and offline offender groups. In general, individuals who only consume 
CSEM appear to differ from those who either engage in real-world offenses only, 
or who engage in both offense types. Online-only offenders are more likely to be 
young, single, white males who are unemployed and who have greater empathy 
for sexual abuse victims (Babchishin et al., 2011). Their level of empathy may be 
key in keeping them from engaging in contact offenses in the real world, as it 
appears that individuals who view CSEM report higher pedophilic interests gen- 
erally (Babchishin et al., 2015). People who engage in offenses online and offline 
report slightly higher pedophilic interest levels than those who only view CSEM, 
which may be an important behavioral driver (Babchishin et al., 2015). 
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Online offenders also demonstrate a greater range of sexual deviance which 
may be associated with their interest in various sexual contents (Babchishin 
et al., 2011). This may also be associated with the fact that online offenders are 
also more likely to report either having a homosexual or bisexual orientation 
(Babchishin et al., 2015). Importantly, both online and offline offenders are 
more likely to report sexual and physical abuse than men in the general popula- 
tion. This is sensible as there is a high correlation between some history of abuse 
and sexual offending behaviors generally (Jespersen et al., 2009). 

Overall, not all CSEM users are pedophiles or contact child sex offenders, 
and CSEM users are not significantly more likely to cross over into contact child 
sex offenses. In addition, some research suggests they may exhibit more pedo- 
philic characteristics than contact child sex offenders (Babchishin et al., 2015; 
Federal Bureau of Investigation, 2020a; Klain et al., 2001; Perrien et al., 2000; 
Quayle & Taylor, 2002; Seto & Eke, 2005; Seto et al., 2006). However, these 
previous studies sampled CSEM users from the clinical or forensic population. 
Other researchers have relied on self-report measures using anonymous surveys 
to assess the prevalence of CSEM use amongst general Internet users, with results 
suggesting anywhere between 6 and 10 percent of Internet users admit to inten- 
tionally consuming CSEM (Seigfried et al., 2008; Seigfried-Spellar, 2015, 2016). 

Recognizing that CSEM users are not a homogeneous group, researchers also 
developed typologies to classify individuals based on their collecting behaviors 
(Alexy et al., 2005; Durkin, 1997; Krone, 2004; Quayle & Taylor, 2002; Rogers 
& Seigfried-Spellar, 2013; Taylor & Quayle, 2003). It is thought that viewing and 
collecting CSEM and associated materials can possibly lead to more serious offenses 
and may produce varied uses for this content, whether online or offline. One of 
the first such typologies was proposed by Durkin (1997, p. 16) with four categories 
based on individual misuse of the Internet and its role with offline activities: (1) traf- 
ficking CSEM (traders), (2) communicating and sharing ideas with like-minded 
persons (networking), (3) engaging in inappropriate communication with chil- 
dren (grooming), and (4) attempting to find children to molest (travelers). 

An expanded model was proposed by Krone (2004) focusing on offender’s 
use of technology to view, collect, share, and/or produce CSEM, as well as 
their level of technical competency, the nature of the images they seek, their 
social connectivity to others interested in CSEM, and the extent to which they 
attempt to hide their activities from law enforcement. In this respect, Krone’s 
typology builds from Durkin but also provides greater depth and potential 


accuracy in assessing offender behavior. This nine-category typology recognizes 


the following types: (1) browser, (2) private fantasy, (3) trawler, (4) nonsecure 
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collector, (5) secure collector, (6) groomer, (7) physical abuser, (8) producer, 
and (9) distributor. It is not intended for use in clinical treatment or diagnostic 
purposes, but rather to classify misuse of technology and involvement in the 
production of CSEM and sexual abuse for law enforcement. 

The first two categories involve individuals with no social connections to 
others and at the same time do not take steps to hide their activities from law 
enforcement. The browser views CSEM accidentally but saves the content 
deliberately for later use. The private fantasy user creates their own materials 
so that they can use it for personal reasons later. This content is not meant to be 
viewed by others or deliberately shared and may include stories, line drawings, 
or computer-generated images or video. 

The next three categories involve individuals deliberately searching for CSEM 
and sexual content, though they may have generally lax security. The trawler 
actively searches for CSEM through various browsers as they have generally few 
connections to others to facilitate access to content and takes no steps to conceal 
their activities. The nonsecure collector is technologically savvy and uses peer-to- 
peer file-sharing programs and other more secured sources to access content. They 
have greater social connections that engender access to CSEM, though they take no 
real steps to protect whatever content they collect. The secure collector, however, 
only accesses CSEM via secured or private networks and deliberately categorizes 
and indexes their collections. They also exchange content with others in order to 
gain access to secured CSEM sharing groups and networks. 

Though the previous categories involved no physical contact with child vic- 
tims, the next three categories all involve attempted or successful direct contact 
offenses in the real world. These categories also have substantive overlap with 
categories from the Durkin (1997) typology, as with groomers who seek sexual 
relationships with children online. A groomer may not access CSEM, but if 
they do they are more likely to share it with their intended target to normalize 
the notion of a sexual activity. Groomers are also dependent on the steps their 
victims take in order to minimize their risk of getting caught. 

The physical abuser has direct physical contact with children and is similar to 
groomers in that they may or may not access CSEM and may have cultivated a rela- 
tionship with their victim online. Producers go one step beyond abusers as they 
document their abuse of a victim, or serve as a facilitator to document abuse others 
engage in. In both of these categories, the offenders are also dependent on their 
victims to minimize the likelihood of detection. The final category, distributors, 
are responsible for sharing the content that is used by offenders in any of the pre- 
vious categories. They may be either poorly or well connected to others based on 
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the type of content they share, though they are much more careful to secure their 
activities from law enforcement. Distributors are also likely to not have direct con- 
tact with child victims, instead operating as a middleman to make content available. 

An expansion of the Krone (2004) model was produced by Rogers and 
Seigfried-Spellar (2013) to provide specificity on the ways that individual 
offenders may store content or misuse their devices in the course of an offense. 
The authors retain the original nine categories proposed by Krone (2004) but 
provide additional context for the technical knowledge of the offender based on 
the file types, system locations, and software/hardware resources an individual 
may use to either access content or conceal their activities. As with Krone, this 
typology is designed to aid law enforcement in recognizing potential sources of 
forensic information to facilitate criminal investigations (see Box 8.7 for detail). 


Box 8.7. The Rogers Seigfried-Spellar Hybrid Model 


Browser Response to spam, accidental Internet history logs 
hit on suspect site — material Temporary files 
knowingly saved Web cache 

Cookies 


Default user account folders 
(e.g., pictures, movies) 
Thumbnails 

Deleted files 

Recycle bin 


Private fantasy 


Conscious creation of online 
text or digital images for 


private use 


Internet history logs 
Temporary files 

Web cache 

Cookies 

Default user account folders 
(e.g., pictures, movies) 
Thumbnails 

P-2-P folders 

email 

Registry/Typed URLs 
Deleted files 

Recycle bin 

External storage devices 
Mobile phone 


(Continued) 
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Trawler Actively seeking CSEM using Internet history logs 
openly available browsers Temporary files 
Web cache 
Cookies 


Default user account 
folders (e.g., pictures, 
movies) 

Non-default folders 
Thumbnails 

P-2-P folders 

email 
Registry/Typed URLs 
Deleted files 

Recycle bin 

IRC folders 

External storage 
devices 

Mobile Phone 


Nonsecure Actively seeking material often | Internet history logs 

collector through peer-to-peer networks | Temporary files 
Web cache 
Cookies 


Default user account 
folders (e.g., pictures, 
movies) 

Non-default folders 
Thumbnails 

P-2-P folders 

email 
Registry/Typed URLs 
Deleted files 

Recycle bin 

IRC folders 

External storage 
devices 

Mobile phone 


(Continued) 
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Secure collector 


Actively seeking material but 
only through secure. Collector 
syndrome and exchange as an 


entry barrier 


Internet history logs 
Temporary files 
Web cache 

Cookies 

Default user account 
folders (e.g., pictures, 
movies) 

Non-default folders 
Thumbnails 

P-2-P folders 

email 
Registry/Typed URLs 
Deleted files 
Recycle bin 
External storage 
devices 

Encrypted folders 
IRC folders 

Mobile phone 


Groomer 


Cultivating an online 
relationship with one or more 
children. The offender may or 
may not seek material in any of 
the above ways. Pornography 


may be used to facilitate abuse 


Internet history logs 
Temporary files 
Web cache 

Cookies 

Default user account 
folders (e.g., pictures, 
movies) 

Non-default folders 
Thumbnails 

P-2-P folders 

email 
Registry/Typed URLs 
Deleted files 
Recycle bin 
External storage 
devices 

Mobile phone 


(Continued) 
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Physical abuser Abusing a child who may have _| Internet History logs 
been introduced to the offender | Temporary files 
online. The offender may or Web cache 

may not seek material in any of | Cookies 

the above ways. Pornography Default user account 
may be used to facilitate abuse folders (e.g., pictures, 
movies) 

Non-default folders 
Thumbnails 

P-2-P folders 

email 
Registry/Typed URLs 
Deleted files 

Recycle bin 

External storage 
devices 


Digital cameras 


Mobile phone 
Producer Records own abuse or that of Internet history logs 
others (or induces children to Temporary files 
submit images of themselves) Web cache 
Cookies 


Default user account 
folders (e.g., pictures, 
movies) 

Non-default folders 
Thumbnails 

P-2-P folders 

email 
Registry/Typed URLs 
Deleted files 

Recycle bin 

External storage 
devices 

IRC folders 

Digital cameras 
Mobile phone 


(Continued) 
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Distributor May distribute at any one of the | Internet history logs 
above levels Temporary files 
Web cache 
Cookies 


Default user account 
folders (e.g., pictures, 
movies) 

Non-default folders 
Thumbnails 

P-2-P folders 

email 
Registry/Typed URLs 
Deleted files 
Recycle bin 
External storage 
devices 

IRC folders 

Digital cameras 
Mobile phone 


For instance, browsers are likely to have evidence of their activities in their 
browser histories and recycle bin, while a private fantasy user may also have evi- 
dence located in external hard drives and their phone due to the nature of the 
content they create. Trawlers and nonsecure collectors may have a greater range 
of software they use to attempt to access CSEM and store files in unusual system 
locations. The secure collector may, however, utilize file encryption in order to 
hide the file folders that store the content they acquire. The nature of the files 
and content used by the remaining categories are thought to vary based on their 


access to and use of CSEM as well as the nature of the abuse they engage in. 


The Legal Status of CSEM Around the Globe 


Despite the variation in what constitutes obscene content, there is some con- 
sistency in laws regarding child exploitation. In the United States, there are 


multiple federal laws designed to protect youth from exploitation and punish 
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individuals who share or create CSEM. In fact, the first law criminalizing 
CSEM in the United States was enacted in 1977, called the Protection of 
Children Against Sexual Exploitation Act. This law made it illegal for 
anyone under the age of 16 to participate in the visual production of sexually 
explicit materials, though this definition was extended to the age of 18 in 1986 
(Brenner, 2011). 

Later legislation, though, has had the greatest impact on CSEM through the 
implementation of the Child Pornography Prevention Act of 1996. This 
Act extended the existing laws regarding CSEM by establishing a new defini- 
tion for child pornography. Specifically, this Act amended the criminal code 
under Title 18 to define child pornography as “any visual depiction, includ- 
ing any photograph, film, video, picture, or computer or computer-generated 
image or picture of sexually explicit conduct” (Brenner, 2011, p. 51). The law 
also recognizes that the image (1) must have been produced involving an actual 
minor engaging in sexual acts, (2) involved or appeared to involve a minor, 
and/or (3) was created, adapted, or modified to appear that a minor is engaging 
in sexual acts. This definition was established in order to provide the needed 
flexibility to prosecute CSEM cases that may have been created using Photo- 
shop or other computer programs and sent electronically. It can also, however, 
be applied to photos where a child is nude and alone but appears to be sexually 
suggestive in and of itself. 

This act also made it illegal to engage in multiple activities associated with the 
production of CSEM. It is now illegal for anyone to persuade, entice, induce, or 
transport minors in order to engage in sexual acts for the purpose of producing 
images and/or video of the acts, and if they will be transported in foreign or 
interstate commerce (Brenner, 2011). Similarly, it is illegal for anyone to entice 
a minor to engage in sexual acts outside of the United States in order to produce 
visual depictions of the behavior. It is also illegal for anyone to print or pub- 
lish advertisements associated with the sexual exploitation of children (Brenner, 
2011). This law also makes it illegal to either conspire or attempt to commit any 
of these offenses. 

The penalties for these offenses are severe and include a federal prison sen- 
tence between 15 and 30 years and/or a fine. If the offender has a prior charge 
of sexual exploitation on their record at either the state or federal level, they can 
receive between 25 and 50 years. If they have two or more charges, then they 
are eligible to receive a life sentence in prison (Brenner, 2011). In the event that 
a child dies in the course of the offenses above, then the offender is eligible for 
the death penalty. 
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Section 2252 of this same Act also made it illegal to knowingly: 


ay 


mail, transport, or ship child pornography by any means, physically or 
electronically; 

receive or distribute child porn or materials containing child pornography; 
reproduce child porn for distribution through the mail or by computer; 


sell or possess child porn with the intent to sell; 


abe &O N 


possess any “book, magazine, periodical, film, videotape, computer disk, or 
other material that contains an image of child porn” (Brenner, 2011, p. 54); 
and 

6 distribute, offer, or send a visual depiction of a minor engaging in sexually 


explicit conduct to a minor. 


The first, fourth, and sixth acts can lead an individual to be imprisoned between 
5 and 20 years minimum, though if they have a prior conviction for child por- 
nography, then they can receive a prison sentence of between 15 and 40 years. 
The fifth activity, possessing child pornography, can lead an individual to be 
fined and imprisoned for up to 10 years, though if they have a prior offense 
history, they can be imprisoned between 10 and 20 years (Brenner, 2011). 
These statutes all apply to images of real children who have been victimized 
in some way. Some argued that the ability to create images of virtual children 
using computer software or line drawings does not create the same issue of 
victimization. As a result, these materials should not be treated as illicit mate- 
rial because of the protections afforded by the First Amendment right to free 
speech in the United States (Brenner, 2011). This challenge was struck down 
through the creation of the Prosecutorial Remedies and Other Tools to 
end the Exploitation of Children Today Act (or PROTECT Act) of 
2003. This law criminalized virtual child pornography and extended the legal 
definition to include “a digital image, computer image, or computer-generated 
image that is, or is indistinguishable from, that of a minor engaged in sexually 
explicit conduct” (Brenner, 2011, p. 57). This Act remedied previous problems 
experienced by the prosecution when the defense argued that the individuals in 
the images were not actual, but computer-generated, victims. In this respect, an 
offender could claim their actions caused no harm to real children. Prosecutors 
would have to challenge such attempts and demonstrate how harm may have 
occurred. The revisions afforded by the Act of 2003 shifted the burden of proof 
to the defense so it is now their duty to prove that the child pornography images 


do not include actual victims. 
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Also, this Act included language criminalizing “obscene child pornography,” 
which involves any visual depiction, whether a sculpture, painting, cartoon, 
or drawing of minors engaging in sexually explicit conduct or obscene acts; 
or involves a minor engaging in bestiality, sadism, or masochistic abuse, sexual 
acts of any kind; and lacks serious literary, artistic, or scientific value (Brenner, 
2011). The language related to the value of the image is critical because it is 
synonymous with that of the Miller test of obscene material in the Supreme 
Court. As a result, this helps to ensure that this standard is constitutional when 
applied to any criminal case. 

In the United States, all states and the District of Columbia have criminal- 
ized the use, creation, possession, and distribution of child pornography and the 
sexual solicitation and exploitation of minors (Children’s Bureau, 2019). These 
offenses are treated as felonies, though the range of sanctions varies in terms of 
years in prison based on the individual’s prior record and the severity of the 
offense. Additionally, the Federal Child Abuse Prevention and Treatment Act 
(CAPTA) requires that all states have provisions or procedures requiring certain 
groups of individuals to report suspected or known cases of child abuse and 
neglect. Groups that are often required per state statutes to report child abuse are 
social workers, teachers, health-care workers, child care providers, counselors, 
and law enforcement officers. Other states include other groups that are required 
to report child abuse, including the creation of CSEM materials. Twelve states 
have established laws that require commercial film or photography processors 
to report any child abuse or neglect that they identify in the course of their 
work (Children’s Bureau, 2019). Six states (Alaska, California, Illinois, Missouri, 
Oklahoma, and South Carolina) also require computer technicians to report 
child abuse or neglect. These laws are not designed to require computer techni- 
cians to actively seek out or search for child sexual abuse content, but rather to 
ensure that such content is reported in the event it is uncovered in the course 
of normal operations. Reporting any child pornography identified provides the 
individual and their company with immunity from criminal or civil liability in 
most states (Children’s Bureau, 2019). In the event an individual does not report 
child pornography to law enforcement at the state and/or federal level, the indi- 
vidual can be charged with a misdemeanor and/or fined. 

International laws regarding child pornography vary based in part on local 
standards for obscene content and their sanctions for use or possession of por- 
nography (International Centre for Missing and Exploited Children, 2020a). In 
the United Kingdom, the Protection of Children Act 1978 (PCA) was the 
first attempt to legislate against this activity, making it illegal to obtain, make, 
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distribute, or possess an indecent photograph of someone under the age of 16 
(later raised to 18) (Crown Prosecution Service, 2020). The law was extended 
in 1994 through the Criminal Justice and Public Order Act to include 
images that appear to be photos, so-called pseudo-photographs. Additional leg- 
islation in 2009 called the Coroners and Justice Act extended the law to 
include all sexual images depicting youth under the age of 18, whether real or 
created (Crown Prosecution Service, 2020). The current punishment structures 
enable an individual to be imprisoned up to 10 years, depending on the offense 
and the nature of the content the individual either acquired or viewed. In addi- 
tion, the Serious Crime Act 2015 criminalized the possession of “any item that 
contains advice or guidance about abusing children sexually” which may be 
referred to as a pedophile manual (Crown Prosecution Service, 2020). Having 
such materials carries a maximum sentence of three years in prison. 

Canada utilizes a similar definition to that of the United States, though they 
also include audio recordings of the sexual exploitation of children and written 
depictions of persons under the age of 18 engaging in sexual activities or those 
that actively induce or encourage sex with minors (Akendiz, 2008). In fact, 
Canadian courts can mandate that such content be deleted from the Internet if 
the materials are available on a computer system within the Canadian borders. 
Their sanctions for child pornography are also similar to the United States, 
in that the possession of child pornography is punishable by up to ten years 
in prison, while the production and/or distribution of child pornography can 
lead to a 14-year prison sentence (Seidman, 2013). Similarly, Australian law 
prohibits any sexual image, real or created, of children under the age of 18. 
Their sanctions regarding child pornography offenses are consistent regardless 
of the offense, whether the production or possession of child pornography, and 
include a fine of up to A$275,000 and up to 10 years imprisonment (Krone, 
2005). All of these nations also have laws that require Internet service providers 
(ISPs) to monitor and report the presence of child pornography on systems that 
they control. In the event that such materials are not reported, the ISP can be 
held liable for the distribution of this content and eligible for fines and other 
sanctions (Brenner, 2011). 

In 2009, India criminalized sexual offenses involving a person under the age 
of 18 through an amendment to the Information Technology Act of 2000. 
Under statute 67B, it is illegal for any person to: 


1 publish or transmit or cause to be published or transmit material in any elec- 


tronic form which depicts children engaged in sexually explicit act or conduct, 
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2 create text or digital images, collect, seek, browse, download, advertise, pro- 
mote, exchange or distribute material in any electronic form depicting chil- 
dren in obscene or indecent or sexually explicit manner, 

3 cultivate, entice or induce children to engage in an online relationship with 
one or more children for a sexually explicit act or in a manner that may 
oftend a reasonable adult, 

4 facilitate abusing children online, or 


5 record in any electronic form their own sexual abuse of'a child or that of others. 


This relatively comprehensive statute makes any of these offenses punishable by 
up to five years in prison and or a fine of 1 million Rupees for the first convic- 
tion, which increases to seven years in prison on the second conviction. 

The Convention on Cybercrime deals with CSEM under Article 9, 
requiring member states to make it illegal to produce, distribute, offer, pro- 
cure, or possess child pornography via computer or media storage device. The 
CoC encourages the use of a definition of child pornography that includes 
visual depictions of minors, people who appear to be minors, or realistic images 
of minors engaged in sexual acts (Brenner, 2011). Due to the complexity of 
national standards, the CoC also allows signatory nations to define minors as 
individuals under the age of 16 or 18, depending on their current standards, and 
may choose not to criminalize created images or those where participants only 
appear to be minors (Brenner, 2011). 

Since April 2006, the International Centre for Missing and Exploited 
Children (ICMEC) has published nine reports comparing legislation on 
CSAMs across the INTERPOL member countries. The first report in 2006 
reviewed 184 INTERPOL member countries with the most recent report 
(9th edition), including 196 countries (International Centre for Missing and Exploited 
Children, 2018). Since 2006, 150 nations have refined or implemented new 
legislation on CSAMs. In 2006, the ICMEC reported that 95 countries had no 
legislation at all specifically addressing CSAMs; this number has since dropped 
to 16 countries in 2018 (International Centre for Missing and Exploited Chil- 
dren, 2018). The 16 countries with no legislation addressing child pornography 
include Central African Republican, Equatorial Guinea, Somalia, Dominica, 
Saint Lucia, and Palau to name just a few. It should also be noted that some 
countries, such as Iran, Iraq, and Kuwait, do not have specific statutes on child 
pornography; however, all pornography is illegal in those countries, thereby 
making CSAM illegal as well even no specific statutes exist. In addition, 
56 countries still do not criminalize simple CSAM possession although they 
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have CSAM legislation. Thus, CSAM legislation varies greatly around the 
world, particularly regarding the illegality of CSAM possession. 


For more information on the International Centre for Missing 
and Exploited Children’s 9th edition of Child Sexual Abuse Mate- 
rial: Model Legislation & Global Review, go online to: https:// 
cdn.icmec.org/wp-content/uploads/2018/12/CSAM-Model-Law-9th- 
Ed-FINAL-12-3-18-1.pdf 


Nonprofit Organization Efforts 


In the United Kingdom, the Internet Watch Foundation (IWF) is a charitable 
organization that is focused on reducing the amount of child pornography and 
exploitation materials hosted worldwide and criminally obscene adult content in 
the United Kingdom. The IWF receives financial support from ISPs, technology 
and financial service providers, and the European Union (Internet Watch Foun- 
dation, 2020). Beginning in 1996, the IWF was created to provide a hotline for 
the public and IT professionals to report criminal content found on the Internet. 
These reports are processed and used to distribute takedown notices to ISPs in the 
event that child pornography is identified. In fact, they estimate removing over 
1,000 web pages each week since their inception. In fact, their efforts have led to 
a massive decrease in CSEM being hosted in the United Kingdom, from 18 per- 
cent of all child sexual abuse content being hosted on UK IP addresses in 1996 to 
only 0.1 percent in 2020 (Internet Watch Foundation, 2020). In addition, the 
IWF provides a block list to ISPs and industry so that individuals are unable to 
access content hosted online. They also provide assistance to UK law enforce- 
ment agencies to pursue the distributors and consumers of harmful content. 


For more on agencies and their efforts to combat child abuse and 


harm, go online to: 


1. Internet Watch Foundation: https://www.iwf.org.uk/ 

2. National Center for Missing & Exploited Children: www.missing 
kids.com/home 

3. International Centre for Missing & Exploited Children: www. 


icmec.org 
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The National Center for Missing and Exploited Children (NCMEC) 
is one of the key nonprofit organizations in the United States that deals with 
missing children and child exploitation. The Center began in 1984 under man- 
date from the US Congress and then-President Ronald Reagan as a clearing- 
house for information and resources regarding these crimes (National Center 
for Missing and Exploited Children, 2020). Currently, the NCMEC is funded 
in part by the US Congress, as well as donations from the private sector and 
matching donors. As a result, the NCMEC is authorized by Congress under 
42 USC 5773 and performs multiple roles to facilitate the investigation of 
crimes against children (CAC) (National Center for Missing and Exploited 
Children, 2020). Resulting from the PROTECT Our Children Act of 2008, 
the NCMEC operates a national toll-free hotline (1-800-THE-LOST) to col- 
lect information on runaway children, and the CyberTipline, which provides 
an electronic resource for individuals to report suspected incidents of child 
abuse, child pornography, and sexual exploitation. In fact, the Tipline received 
16.9 million reports in 2019 alone (National Center for Missing and Exploited 
Children, 2020). 

The NCMEC offers training programs for youth and educators involving 
the threats children face online. The NCMEC also offers training and resources 
for law enforcement, including the Child Victim Identification Program 
(CVIP), which culls through images of child pornography in order to deter- 
mine the identity and location of child victims (National Center for Missing and 
Exploited Children, 2020). This program has received requests to review more 
than 160 million images and videos from across the world (US Department of 
Justice, 2016). In addition, they support a joint operation with the US Mar- 
shals service to track sex offenders who violate the terms and conditions of 
their sentences. 

The success of the NCMEC, and the recognition of a need for similar enti- 
ties around the world, led to the formation of the ICMEC in 1999. The Centre 
is also a nonprofit agency with a similar mission to the NCMEC, though it is 
focused on building partnerships in a global context to better investigate child 
exploitation cases and build the legal capacity of nations so that there is consist- 
ency in laws to prosecute these offenses (International Centre for Missing and 
Exploited Children, 2020a). They not only focus on child abduction and harm 
but also have a substantive set of resources to support the investigation of child 
pornography and exploitation cases. 

In particular, the ICMEC operates the Financial Coalitions Against Child 
Sexual Exploitation (FCACSE), which have a focus on the United States 
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and on the Asia-Pacific region (International Centre for Missing and Exploited 
Children, 2020b). These groups consist of financial institutions and ISPs who 
are jointly operating to take complaints of CSAM content operating on various 
platforms and disrupt the businesses that are engaged in the sale of or profit 
generation from this content (International Centre for Missing and Exploited 
Children, 2020b). They also offer training and assistance to law enforcement 
agencies internationally, along with legal consultations in order to develop 
model child exploitation law and harmonize legislation internationally. The 
ICMEC has national operational centers in Belarus, Belgium, Greece, Russia, 
the United States, and has new regional offices in Singapore, Greece, and Latin 
America to better service the nations of southeast Asia, southeastern Europe, 
and Central and South America, respectively (International Centre for Missing 
and Exploited Children, 2020b). 


Law Enforcement Efforts to Combat CSEM 


At the federal level in the United States, there are a number of agencies involved 
in the investigation of sexual offenses. The Federal Bureau of Investigation’s 
(FBI) Crimes Against Children (CAC) program investigates a range of sex- 
ual offenses and criminal activities that affect youth, ranging from CSEM to sex 
trafficking to kidnapping (Federal Bureau of Investigation, 2020a). This program 
became operational in October 2012 when two preexisting programs, called the 
Innocent Images Initiative under the Cyber Division and the CAC program, within 
the Criminal Investigative Division, were merged together. Each of these groups 
had a unique function: the Innocent Images program investigated child exploita- 
tion and pornography cases online, while the CAC program handled cases of child 
prostitution, abduction, and sex tourism (Federal Bureau of Investigation, 2020a). 
Combining these programs enabled a more effective approach to the investigation 
of these related crimes and helped to reduce the burden of pursuing the tremen- 
dous number of investigations of child exploitation that were tasked to the Cyber 
Division, which was already responsible for investigating hacking and fraud cases. 
The CAC program now falls under the FBI’s Criminal Investigative Division 
and develops investigative leads, which are pursued by field agents in each of the 
56 field offices the Bureau operates across the United States (Federal Bureau of 
Investigation, 2020a). In each office, these cases are investigated by specialized 
Child Exploitation and Human Trafficking Task Forces (CEHTTFs), 
which are joint operations of federal, state, and local law enforcement officers 


(Federal Bureau of Investigation, 2020a). This program is both reactive, in that 
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it actively investigates leads and tips provided by the general public and reports 
collected by NCMEC, and proactive, based on undercover investigations initi- 
ated by agents in chat rooms, social networking sites, website, and file-sharing 
communities (Federal Bureau of Investigation, 2020a). 

The FBI also spearheads the Violent Crimes Against Children Inter- 
national Task Force (VCACITEF), which began in 2004 and is now the 
largest global task force in the world that investigates child exploitation cases 
(Federal Bureau of Investigation, 2020a). This program investigates cases of 
child sex tourism in southeast Asia and Latin America in order to develop prac- 
tical evidence against US citizens who engage in such tourism so that they can 
be successfully prosecuted in the United States. There are over 45 nations that 
participate in this force, with 68 active members, all of whom share informa- 
tion in order to investigate child exploitation cases (Federal Bureau of Investi- 
gation, 2020a). 

Additionally, the FBI operates the Endangered Child Alert Program 
(ECAP), which seeks to identify the adults featured in some child exploitation 
content so they may be brought to justice (Federal Bureau of Investigation, 
2020b). The faces and identifying characteristics of individuals are stripped from 
the media and published as Jane/John Does in order to obtain arrest warrants 
and actionable information about their real identities. A similar program, dubbed 
Operation Rescue Me, has been in operation since 2008 and is designed to 
identify the victims of child exploitation. Analysts sift through newly posted 
images and videos of child pornography in order to capture clues about the 
location and timeframe of when the media was made so that victim identities 
can be determined and saved. Thus far, the program has led to 45 youths being 
successfully identified and found from information available in these materials 
(Federal Bureau of Investigation, 2020b). 

The Immigration and Customs Enforcement (ICE) Agency also plays 
an important role in the investigation of child exploitation cases (Immigration 
and Customs Enforcement Agency, 2020). Their role is often viewed in the 
context of managing the people and property that enter the United States, mak- 
ing the importation or distribution of child pornography and obscene content 
through its borders, electronic or otherwise, an investigative priority for ICE 
agents. As a result, ICE operates the Child Exploitation Investigations Unit 
to investigate myriad offenses online and offline. One of their key programs 
called Operation Predator is designed to facilitate the investigation of child 
exploitation, both in the United States and abroad (Immigration and Customs 
Enforcement Agency, 2020). This program has led to the arrest of more than 
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14,000 people for offenses, including child porn production and distribution 
as well as sex trafficking of minors (Immigration and Customs Enforcement 
Agency, 2020). 

Not only do agents actively investigate these crimes, but they also work 
with state and local law enforcement agencies to provide intelligence and inves- 
tigative resources to identify offenders and victims. They have also established 
a National Victim Identification Program to assist in the investigation of these 
offenses (Immigration and Customs Enforcement Agency, 2020). This agency 
is also the US representative to Interpol’s working group on child sexual abuse 
online and is heavily involved in the Virtual Global Taskforce (VGT), 
which is discussed later in this chapter (Immigration and Customs Enforcement 
Agency, 2020). Agents actively identify materials online and use these images 
and videos as the basis for investigative leads around the world (see Box 8.8; 


Immigration and Customs Enforcement Agency, 2020). 


Box 8.8 Immigration and Customs Enforcement 
Operations in Action 


29 Arrested in International Case Involving Live Online 
Webcam Child Abuse 


https://www.ice.gov/news/releases/29-arrested-international-case- 
involving-live-online-webcam-child-abuse#:~:text=29%20arrested%20 
in%20international%20case%20involving%20live%20online% 
20webcam™%20child%20abuse,-29%20arrested%20in&text=15% 
20children%20in%20the%20Philippines, children%20by%20the%20 


customer%20network. 


An organized crime group that facilitated the live streaming of on- 
demand child sexual abuse in the Philippines has been dismantled after 
a joint investigation by the U.K.’s National Crime Agency (NCA), the 
Australian Federal Police (AFP) and U.S. Immigration and Customs 
Enforcement (ICE). 


This article provides an overview of a recent case investigated by a joint 
operation, including agents from the US Immigration and Customs 
Enforcement (ICE). The case spanned multiple nations, with victims 
across the globe. 
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The US Postal Inspection Service plays a role in the investigation of child 
exploitation cases as well, since CSEM was distributed directly via postal mail 
prior to the development of the Internet. The Postal Inspectors have investi- 
gated these offenses for more than 100 years as the law enforcement arm of the 
US Postal Service (US Postal Inspection Service, 2020). There are approxi- 
mately 1,289 criminal investigators working within the office, as well as 
581 armed uniformed officers (US Postal Inspection Service, 2020). They often 
work hand in hand with other law enforcement agencies to investigate a range 
of offenses, including identity crimes and drug offenses. This is particularly true 
for CSEM cases, as this content is still distributed in part from postal mail, and 
investigations of mailing behaviors can be used to help further investigations 
underway by other agencies (US Postal Inspection Service, 2020). 


For more information on the Postal Service’s investigative role, 
go online to: https://www.uspis.gov/wp-content/uploads/2020/02/ 
FY-2019-annual-report-508-web.pdf 


There are myriad specialized policing units at the federal or national level to 
investigate child pornography and exploitation cases around the world. The UK’s 
Child Exploitation and Online Protection (CEOP) Command is a part of 
the National Crime Agency (NCA), which became operational in October 
2013. The CEOP takes reports of exploitation, abuse, and missing youth and will 
directly investigate threats and coordinate responses, depending on the scope of 
harm across multiple areas (CEOP, 2020). The CEOP also serves as the point of 
contact for multinational investigations in order to coordinate responses within 
the United Kingdom while working in concert with other agencies around the 
world. They also track registered sex offenders and pursue those who have failed 
to comply with any community notification requirements they may face as a 
result of their release from prison. Local police agencies can also request computer 
forensic assistance or covert investigation resources from the CEOP to facilitate a 
case against child predators. In addition to enforcement and investigative responsi- 
bilities, the CEOP also operates the ThinkUKnow program, designed to educate 
children and adults about threats to youth safety (CEOP, 2020). 

In Australia, the Federal Police has a special subgroup called the Child Protec- 
tions Operations (CPO) team that investigates and coordinates the response 
to child exploitation cases both domestically and internationally (Australian 
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Federal Police, 2021). The Royal Canadian Mounted Police (RCMP) serve 
as a key investigative mechanism in Canada and offer training and investigative 
support for local agencies. They also serve as a key partner in the Canadian 
National Child Exploitation Coordination Centre (NCECC), the focal 
point of contact for online exploitation cases that cross jurisdictional boundaries 
within Canada or internationally (Royal Canadian Mounted Police, 2020). All 
of these agencies also take online reports and tips concerning child porn and 
exploitation to serve as a basis for investigation. 

In the United States, Internet Crimes Against Children (ICAC) task 
forces provide a mechanism for coordination between local, state, and federal 
law enforcement, as well as prosecutors (ICAC, 2020). The ICAC program 
currently comprises 61 task forces, with a presence in every state. Some states 
with larger populations and geography have multiple ICACs, such as Florida, 
California, and Texas (ICAC, 2020). The program began in 1998 under man- 
date from the Office of Juvenile Justice and Delinquency Prevention (OJJDP) 
in order to improve the resources available to combat youth victimization at all 
levels of law enforcement, including investigative resources, forensic and tech- 
nological assistance, and prosecutorial guidance. In fact, there is now a regular 
schedule of digital forensic and investigative training for ICAC investigators 
offered across the country, which are supported by various federal agencies 
(ICAC, 2020). 

Though this may seem like a complex organizational hierarchy to under- 
stand, the response to child pornography and exploitation cases requires mul- 
tiple points of coordination and response. A successful investigation requires 
that arrests and takedowns occur as close together as possible to avoid offenders 
realizing that they may be caught and attempting to flee or destroy evidence that 
may implicate them in criminal activity. Investigations that begin at the local 
level may also lead to evidence of criminal activity in other nations, which may 
increase the scope of agencies that may need to become involved in order for 
arrests and prosecutions to be both legal and successful. 

This is evident in the recent series of arrests that took place around the world 
as part of Operation Spade (Ha, 2014). This investigation began in Canada in 
2010 and implicated a child pornographer operating out of Romania under the 
name Azov Films, who produced content that was generated by individuals 
living in the United States, the United Kingdom, and Australia, among other 
nations (Ha, 2014). Agencies within each country investigated domestic inci- 


dents, shared this information with their partner agencies abroad, and timed 


arrests and takedowns to occur in such a way as to have the widest possible 
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impact on content generators and users. As a result, hundreds of people were 
arrested around the world in 2013 and 2014. 


For more information on Operation Spade, go online to: https:// 
www.sott.net/article/268763-Nearly-400-children-rescued-and-348- 
adults—arrested-in-Canadian-child-pornography-bust 


Given that child exploitation cases can be international in scope, there is 
the VGT in order to coordinate responses to multinational investigations. The 
VGT was established in 2003 and is an alliance of agencies and private industry 
that work together in order to identify, investigate, and respond to incidents of 
child exploitation (VGT, n.d.). The team comprises federal law enforcement 
agencies in Australia, Canada, Columbia, the Netherlands, New Zealand, the 
Philippines, South Korea, Switzerland, the United Arab Emirates, the United 
Kingdom, and the United States, as well as Europol and Interpol (VGT, n.d.). 
The VGT takes complaints of child exploitation, coordinates multinational 
investigations, and provides resources for children and adults to protect them- 
selves online. They have been tremendously successful in investigating child 
pornography and abuse cases, leading to arrests of individuals around the globe, 
as in the recent Operation Globe case (see Box 8.9 for detail). 


Box 8.9 The Virtual Global Taskforce in Action 
VTG Announce 20 Arrests in 6 Months from Operation Globe 


http://virtualglobaltaskforce.com/2016/vgt-announce-20-arrests-in- 
6-months-from-operation-globe/ 


The VGT released the results of ‘Operation Globe’... which resulted 
in the arrest of 20 offenders, and the identification of approximately 


30 victims in 18 cases, some of which are still ongoing. 


This study provides an overview of a recent case investigated and pursued 
by members of the Virtual Global Taskforce to combat child exploita- 


tion cases. 
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Summary 


Taken as a whole, it is clear that any new technology or application will likely 
become a platform that individuals use in order to facilitate a sexual attraction to 
children. There is no immediate or easy solution to the challenge of eliminating 
child sexual abuse and victimization. This is also one of the few crimes that lead 
to substantive international investigations and cooperative working agreements 
between agencies. Given that technology changes so frequently and may be 
subverted by offenders in distinct ways, there will be a need for constant inquiry 
into the nature of sexual offenses in online and offline environments to improve 
and adapt the criminal code to new offenses. Likewise, law enforcement must 
understand offender behaviors so as to better collect evidence that can support 


the investigation and prosecution of sex offenders. 


Key Terms 
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Information Technology Act of 2000 

International Centre for Missing and Exploited Children (ICMEC) 
Internet Crimes Against Children (ICAC) 

Internet Watch Foundation (IWF) 

National Center for Missing and Exploited Children (NCMEC) 
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Networking 
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North American Man-Boy Love Association (NAMBLA) 
Operation Predator 

Operation Rescue Me 
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Children Today Act (or PROTECT Act) of 2003 

Protection of Children Act 1978 (PCA) 

Protection of Children Against Sexual Exploitation Act 
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ThinkUKnow 

To Catch a Predator 

Traders 

Travelers 

Trawlers 

US Postal Inspection Service 

Violent Crimes Against Children International Task Force (VCACITF) 
Virtual Global Taskforce (VGT) 
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Discussion Questions 


1. Since technology constantly evolves, what applications or devices do you 
think may be misused in the future as a platform for individuals to engage 
in the production or distribution of child sexual exploitation material 
(CSEM)? 

2. In what ways does the ability to communicate about sexual interests with 
children help make it possible for individuals to justify their actions and 


offend over time? 


ad 


Why do you think we sanction individuals who possess or access CS9EM 
with more severity than we do hackers or data thieves? Why would there 


be such differential sanction use? 
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Chapter Goals 


e¢ Understand the difficulty in separating the term “bullying” from har- 
assment and stalking 

e Identify the prevalence and correlates of cyberbullying 

e Identify the correlates of cyberstalking 

e Examine where and how cyberbullying is a crime 

e Explore the laws designed to prosecute cyberstalking at the national 
and state levels 

e Explain why local law enforcement is more likely to investigate these 
forms of cyber-violence 


e Discuss the extralegal agencies that investigate these activities 


Introduction 


The development of email and other forms of computer-mediated commu- 
nications, or CMC, has completely changed the way in which we engage 
socially with others. Instagram, Twitter, Snapchat, and other social media 
platforms make it easy for us to tell friends and the whole world what we are 
up to, when, and with whom, around the clock. Geotagged posts on social 
media sites like Snapchat and Twitter also allow other users to know where 
others were in physical space at certain times. The ability to livestream our 
lives also allows us to share virtually every facet of our days with whoever 
is interested. 

The relatively open nature in which people can now lead their lives is unpar- 
alleled and limited only by an individual’s willingness to share. While it may 
seem that technology engenders users to be truthful about themselves and their 
lives, there is increasing evidence that people are very willing to say and post 
whatever they can to either become popular or to connect with individuals with 
whom they are interested to meet. 

In fact, the creation and development of relationships through social media 
predicated on false information has gained prominent attention in the last dec- 
ade. This act has been referred to as “catfishing” after the documentary movie 
and television show of the same name (Peterson, 2013). Both the film and show 
follow individuals as they attempt to disentangle and identify who is actually 
behind the social networking profile with whom they have built an emotional, 
though nonphysical, relationship. 


Cyberbullying and Cyberstalking 


For more on how to identify a catfish, go online to: https://www. 
cybersmile.org/what-we-do/advice-help/catfishing 


While catfishing is not illegal, individuals can be emotionally hurt as 
a result of discovering a relationship they developed is predicated on lies. 
In addition, catfishing is just one of many problematic behaviors that can 
emerge from the Internet and CMCs. When relationships dissolve and cou- 
ples break up, there is some evidence that the individual who was dumped 
may turn to email, Facebook, or even YouTube in order to post comments 
about his or her ex that are disparaging or hurtful. The increasing ability that 
we have to take video and images and send them to others has led some to 
post intimate or candid materials in online public places in order to embarrass 
or shame their ex. 

At the same time, young people are increasingly using technology as a means 
to send bullying or harassing emails to classmates or people that they do not like. 
Such messages may be readily ignored, but if the sender is persistent, or if others 
begin to “like” or repost the messages, it may lead the victim to feel ashamed, 
frightened, or depressed. A number of youth have tragically committed suicide 
over their experiences, though this is an extreme outcome. 

The most notable of these incidents occurred in 2006 with the suicide of 
a young girl named Megan Meier. She befriended who she thought was a 
young boy about the same age named Josh Evans through the social net- 
working site MySpace (Morphy, 2008). Their conversations became frequent, 
and eventually she became emotionally attached to him. That is, until he 
began to send her mean and hurtful messages and told her that the world 
would be a better place without her. Shortly thereafter, Megan hanged her- 
self and was found by her parents. It was subsequently discovered that the 
boy she was talking with did not actually exist. The account was an early 
instance of catfishing; it was actually created by Lori Drew, the mother of 
one of Megan’s former friends. The two younger girls had a falling out, and 
Drew opened the account to embarrass Megan. Though the outcome was 
not at all what Drew had intended (Morphy, 2008), it did not change the fact 
that Megan died. 


For more on the Megan Meier story, go online to: www.youtube. 
com/watch?v=fGY VHFY op9E 
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The Megan Meier case quickly became a lightning rod, drawing national 
attention to the problem of cyberbullying. Unfortunately, multiple instances of 
suicides stemming from cyberbullying have occurred worldwide. For instance, 
a 14-year-old girl named Hannah Smith in Lancashire, England, killed herself 
after receiving hundreds of harassing comments on the website Last.fm (Fricker, 
2013). Similarly, a 16-year-old girl in Singapore was thought to have commit- 
ted suicide as a result of a former boyfriend posting mean and hurtful comments 
on Facebook and via email (Chen, 2011). 

All of these instances demonstrate that the use of technology can cause 
real-world harm, which David Wall would classify as cyber-violence (see 
Chapter 1 for further discussion). What we know about these issues, how- 
ever, is challenged by the overlapping definitions of bullying, harassment, and 
stalking, as well as our limited knowledge of the prevalence of victimization. 
This chapter will explore these issues, beginning with the common defini- 
tions used for these offenses, estimates of both victimization and offending, 
and the impact that they have on victims in general. We will also discuss the 
inherent legal challenges that have developed and the existing statutes that 
can be used to prosecute these offenses. Finally, we will explore the agencies 
and groups involved in the investigation of these offenses. In turn, readers 
should be able to have a greatly expanded appreciation for the overlap of 
these events and the general threats these forms of online harm can pose to 


all Internet users. 


Defining Cyberbullying 


One of the most prominent concerns of the last decade is the issue of bullying, 
particularly cyberbullying, due to the increasing prominence of technology and 
its use among young people. In the physical world, bullying is typically defined 
as the use of intentional and repeated use of aggressive or negative behaviors 
based on an imbalance of power between individuals, most typically a weaker 
victim (Klomek et al., 2008; Nansel et al., 2001; Olweus, 1993). Bullying may 
take multiple forms, ranging from verbal threats or insults (like name-calling 
or teasing) to more serious physical harm (such as being hit or kicked). These 
behaviors may produce negative emotional reactions from the victim due to 
embarrassment, shame, intimidation, anger, sadness, or frustration (Klomek 
et al., 2008; Nansel et al., 2001). 

Many of these characteristics are evident when considering bullying in 
virtual environments as well. In fact, cyberbullying can be defined as any 
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intentional, aggressive behavior performed through electronic means (Hin- 
duja & Patchin, 2008). Though a bully cannot physically injure an individ- 
ual through CMCs, they can cause emotional harm and social embarrassment 
by sending threatening, mean, or hurtful messages via instant messaging, 
email, posts on social media, and text messages via cell phones (Hinduja & 
Patchin, 2008). 


For more on cyberbullying, go online to: 


1. www.cyberbullying.us 


2. www.bullying.co.uk/cyberbullying/ 


Similar to traditional bullying, cyberbullying can also take multiple forms. 
Willard (2007) proposed an eight-category typology of cyberbullying to char- 


acterize the activities of bullies and the experience of victims: 


ay 


Flaming: engaging in online fighting where users directly target one another 

with angry or irritated messages, often featuring vulgar language; 

2 Denigration: making comments about individuals’ characters or behaviors 
that are designed to harm their reputation, friendships, or social positions, 
such as saying that someone is homosexual or making fun of that person; 

3 Impersonation: falsely posting as other people to harm their reputation or 
social status by logging into their existing accounts to post messages or by 
creating fake accounts to masquerade as that person; 

4 Outing: posting real personal information about individuals to embarrass 
them, such as sending images of them in states of undress, posting who they 
are attracted to, or information about homosexual preferences which may not 
be known to the general public; 

5 Trickery: convincing individuals to provide personal information about 
themselves in what they think is a personal conversation, which is then 
revealed to the general public; 

6 Exclusion: intentionally keeping others from joining an online group, such 
as a network on Facebook or some other site online; 

7 Harassment: the repeated distribution of cruel or mean messages to a person 

in order to embarrass or annoy them; 


8 Stalking: the use of repeated and intense harassing messages that involve 


threats or cause the recipient to feel fear for their personal safety. 
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The typology proposed by Willard (2007) recognizes the substantive variation 
in harm that can occur online. In addition, it recognizes that bullying does 
not require repeated harm. Posting personal information online that was shared 
in confidence one time is cyberbullying. Messages, however, can also be sent 
repeatedly and nearly instantaneously to a prospective victim throughout the 
day (Jones et al., 2012). The constant exposure to hurtful messages can cause 
persistent and pervasive emotional and psychological harm for a victim. In addi- 
tion, a message can be posted in multiple environments, such as Facebook, 
Twitter, and YouTube, within a short amount of time. As a result, multiple 
individuals may engage in a bullying experience by reposting content or “lik- 
ing” what someone posts. This can cause significant harm for a victim by mak- 
ing them feel as though the whole world is laughing at them and they cannot 
escape it. Thus, cyberbullying may be just as harmful for the victim as real- 
world bullying — sometimes more. 

As a final point of concern, bullying could also be viewed as harassment or 
stalking. Many typically associate bullying, on or offline, with juvenile pop- 
ulations where power differentials are common. One researcher even went 
so far as to argue that cyberbullying can only occur between minors, whereas 
any other involvement with adults should be viewed as harassment or stalking 
(Aftab, 2006). Others have suggested that adults can be bullied, particularly in 
the workplace where there is greater potential for individuals to intimidate or 
otherwise affect those with less power (Kowalski et al., 2008). This has some 
salience in school environments, where students may attempt to harass their 
teachers online or make fun of them for certain activities. However, the degree 
to which teachers are harassed or bullied by students has been given relatively 
little focus. Most researchers instead focus only on the issue of bullying in juve- 
nile populations (see Kowalski et al., 2014). As a result, we will only discuss 
the issue of bullying in juveniles and discuss potential age variations later in 
the chapter. 


The Prevalence of Cyberbullying 


Rates of cyberbullying vary substantially based on the group of youth sampled, 
the time the data were collected, and the way in which bullying was defined, or 
operationalized, by the authors. These issues make it quite difficult to accurately 
document the scope of cyberbullying within a single place over time, let alone 
cross-nationally. Initial estimates of cyberbullying within the United States var- 
ied in the early 2000s with rates between 6 percent (Thorp, 2004) and 7 percent 
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in a 12-month period (Ybarra & Mitchell, 2004). Recent estimates from the 
United States suggest that rates of cyberbullying have increased, which may be 
a reflection of greater access to technology at early ages. Kowalski and Lim- 
ber (2007) found that 18 percent of a sample of middle school youth reported 
being cyberbullied over a 12-month period. Recent data collected by Hinduja 
and Patchin (2020) found that 14.5 percent of a sample of over 1,000 chil- 
dren of age 9-12 years in the United States reported having been cyberbul- 
lied. A separate sample collected by the same authors (Patchin, 2019) of almost 
5,000 youth aged 12-17 years reported a much higher rate of victimization: 
25 percent reported receiving mean or hurtful comments online in the past 
30 days. These rates, however, may be a result of distinctive student samples, 
as results from the nationally representative National Crime Victimization 
Survey-Supplemental Survey on bullying and cyberbullying found that 
approximately 15.3 percent of students aged 12-18 years were cyberbullied 
during the 2016-2017 academic year (US Department of Education, 2019). 
Cyberbullying victimization rates may be similar or lower than bullying rates 
depending on the study. The World Health Organization (WHO) recently 
reported that on average, 14 percent of 11-year-old boys and 11 percent of 
11 year old girls experience various forms of bullying across 42 nations (World 
Health Organization, 2016). Payne and Hutzell (2017), however, found that 
interpersonal bullying victimization (28.2 percent) occurred much more often 
than cyberbullying victimization (9.1 percent). As Payne and Hutzell (2017) 
note, negative online behaviors have become more normalized, and students 


may simply not acknowledge these behaviors as cyberbullying. 


For more information and statistics on cyberbullying, go online 
to: https://cyberbullying. org/teen-statistics 


It is also important to note that there is some variation in cyberbullying vic- 
timization rates and those of youth engaging in cyberbullying behaviors. Ybarra 
and Mitchell (2004) found 18 percent of a sample of youth engaged in cyber- 
bullying offending in a one-year period. More recently, Patchin (2019) found 
that in a sample of 4,972 youth from 2019, 15 percent of kids engaged in cyber- 
bullying behavior at some point in their lifetime. Only 11 percent of youth 
engaged in cyberbullying behaviors over the last 30 days when the survey was 
administered (Patchin, 2019). Rates among younger populations may be lower, 
as Hinduja and Patchin (2020) found that 3.2 percent of a sample of 1,034 
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youths aged 9-12 engaged in cyberbullying. Thus, there are some differences 
evident in the rates of cyberbullying offending and victimization. 

When examined internationally, the rates of cyberbullying victimization 
reported vary dramatically across place. A recent meta-analysis of international 
studies of cyberbullying victimization found that the average reported rate of 
victimization was lower in Canada (13.99 percent) and South Korea (14.6 per- 
cent) (Zhu et al., 2021). The rate was highest in Spain (57.5 percent), Malaysia 
(52.2 percent), Israel (45 percent), and China (44.5 percent), respectively (Zhu 
et al., 2021). These estimates are, however, substantially variable, as studies from 
China have shown rates of victimization to be as low as 6 percent to as high as 
46.3 percent depending (Zhu et al., 2021). Much of this variability depends on 
the ways the researchers measured cyberbullying, how large the sample of youth 
was, and when it was collected. 


For more information and statistics on cyberbullying, go online to: 
https://www.ijitee.org/wp-content/uploads/papers/v818s/H10200688 
S19.pdf 


Predictors of Bullying Online and Offline 


Taken as a whole, these statistics suggest cyberbullying is a problem that at 
least one out of every six youth may experience in his or her life. It is not clear 
how this will change as smartphone adoption and social networking applications 
expand across the world. Despite the lack of clarity on this issue, there are spe- 
cific factors that may increase the risk of cyberbullying victimization for youth. 

First, studies generally find that females may be more likely to report cyber- 
bullying victimization than males (Baldry et al., 2015; Kowalski et al., 2014; Lee 
et al., 2018; Smith et al., 2019; Zych et al., 2015). This may be based on the 
way that females and males differ in their expression of aggression and harmful 
behaviors. Boys generally report higher levels of physical bullying and aggressive 
behavior; females appear to use more indirect tactics focused on causing emo- 
tional harm through behaviors like spreading gossip (Boulton & Underwood, 
1992; Klomek et al., 2008; Nabuzoka, 2003; Smith et al., 2019). Meta-analyses 
and reviews of cyberbullying research have found mixed results regarding the 
relationship between gender and bullying, however, suggesting that there may be 
minimal gender differences in the risk of cyberbullying victimization and oftend- 
ing (Kowalski et al., 2014; Lee et al., 2018; Smith et al., 2019; Zych et al., 2015). 
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Second, there is also a link between age and cyberbullying victimization. 
While most research suggests that younger children are more likely to experi- 
ence bullying in the real world (Borg, 1999; Olweus, 1993), cyberbullying is 
more likely to be reported by older youth (Sbarbaro & Smith, 2011; Tokunaga, 
2010; Zych et al., 2015). The age variations noted may stem from differential 
access to technology since the very young may have limited access to computer 
and mobile phone technology (Alvarez-Garcia et al., 2018; Smith et al., 2008). 
As kids reach their early teens, they are more likely to receive access to comput- 
ers and phones, thereby increasing their exposure to bullying (Kowalski et al., 
2014). This issue may, however, exacerbate over time with increasingly early 
exposure to mobile devices. 

Third, in keeping with access to technology, the use of certain technologies 
may increase the risk of cyberbullying victimization. Spending time online in 
social networks, chat rooms, and email can increase one’s risk of experienc- 
ing electronic bullying or harassment (Berson et al., 2002; Hinduja & Patchin, 
2008; Holt & Bossler, 2009; Leukfeldt & Yar, 2016; Twyman et al., 2010; 
Ybarra & Mitchell, 2004). Many studies, however, do not find significant rela- 
tionships between general Internet usage and online harassment victimization 
(e.g., Bossler et al., 2012; Ngo & Paternoster, 2011). 

Fourth, risky technology behaviors and the methods through which individ- 
uals share information in online environments are also related to victimization 
because it decreases personal guardianship, or the ability to protect oneself from 
harm (Chen et al., 2017). Individuals who provide sensitive information about 
themselves in public places, like a social network profile, have an increased 
risk of bullying victimization (Mitchell et al., 2007). Posting school schedules, 
home addresses, or images and stories of themselves in compromising situations 
provides offenders fodder for attack (Hinduja & Patchin, 2009). The increased 
emphasis on photo and video-based social media applications like Instagram and 
Snapchat also create opportunities for individuals to target someone based on 
their gender or appearance. As a consequence, individuals who do not carefully 
manage personal or sensitive information may increase their risk of victimization. 

Fifth, being bullied in the real world is also unfortunately a strong predictor 
for being bullied in the virtual world as well. The relationship between bullying 
across both environments appears consistently, regardless of where the sample was 
generated (Erdur-Baker, 2010; Hinduja & Patchin, 2008; Kowalski et al., 2014; 
Wolke et al., 2017; Ybarra & Mitchell, 2004; Zych et al., 2015). This may be due 


to the fact that being bullied in the real world could immediately make someone 


a target for bullying in virtual spaces. In addition, the difficulty in escaping the 
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bullying experience when it operates both on and offline may have a greater 
impact on the victim, making them more likely to report negative psychological 
and emotional outcomes (Holt et al., 2013; Olweus, 1993; Tokunaga, 2010). 

To understand the predictors of bullying, we must also examine it from 
the offender’s point of view in order to provide insight into which youth are 
more likely to bully others. Studies generally find that boys are more likely than 
girls to cyberbully (Baldry et al., 2017; Lianos & McGrath, 2018). Youth who 
bully others appear to have a temper and may be easily frustrated (Camodeca & 
Goossens, 2005; Holt et al., 2012). They are also more likely to report lower 
levels of self-control and display behaviors indicating that as well (e.g., Lianos & 
McGrath, 2018). For example, they report greater problem behaviors at school 
(Hinduja & Patchin, 2008). At the same time, they also have low compassion 
and empathy toward others, making it difficult for them to understand how 
their actions affect other people (Camodeca & Goossens, 2005). 

Individuals who engage in cyberbullying also tend to engage in assault- 
ive behaviors offline, including bullying behaviors (Hinduja & Patchin, 2008; 
Kowalski et al., 2014). Cyberbullies also appear to spend more time online and 
engage in various online activities ranging from checking email to spending 
time in social networking sites, which is sensible given the mechanisms needed 
in order to bully others online (Hinduja & Patchin, 2008). As a result, it is 
important that we consider how the behavioral and attitudinal correlates of bul- 
lying may be used to better understand and intervene in bullying encounters to 


reduce the negative outcomes kids may experience. 


Differentiating Online Harassment and Stalking 


As identified earlier, some categorize harassment and stalking under the defi- 
nition of cyberbullying. These definitional issues make it difficult to truly dif- 
ferentiate harassment and stalking. In fact, Sinclair and Frieze (2000) argue that 
there is no way to identify what behaviors should be classified as harassment 
or stalking, and thus, the terms should be used interchangeably. There are, 
however, a few salient points that could be used in order to identify when an 
incident may be defined as online harassment or as cyberstalking. While 
both behaviors involve the constant use of email, text, or some other form of 
CMC, the effects these messages have on the victim are pertinent. Instances of 
harassment may be viewed as bothersome, annoying, or unwanted by the recip- 
ient, but these communications do not necessarily portray a threat (Turmanis 
& Brown, 2006). By contrast, cyberstalking may lead a victim to feel fear for 


Cyberbullying and Cyberstalking 


their personal safety and/or experience emotional distress (Bocy, 2004; Reyns 
& Fissel, 2020). In both cases, the recipient should indicate to the sender that 
they want the messages to stop. Such an indication is important in order to help 
law enforcement pursue a criminal case against the sender. 

It is also important to recognize that cyberstalking is related to, but not 
equivalent to, traditional stalking activities (Bocij, 2004; Bocij & McFarlane, 
2002; Reyns & Fisher 2018). In cases of real-world stalking, the actor may 
track his victim and show up unannounced and unwelcome in various places, 
which may intimidate or cause fear in the victim (Bocij, 2004). Cyberstalking 
may involve a variety of online activities that produce similar results, such as 
monitoring a person’s online behaviors, gathering personal information about 
that individual through various outlets, and sending hostile or threatening mes- 
sages that imply they will cause bodily harm to the victim or to their property 
(see Box 9.1 for an example; Bocij, 2004). 

The range of cyberstalking does not simply end with virtual threats. A few 
cyberstalkers have sent malicious software, like keylogging programs, in order 
to monitor all aspects of their victims’ behaviors (Bocij, 2004). Other cyber- 
stalkers make false posts in various sites impersonating their victims in order 
to embarrass them or cause them physical harm (Bocij, 2004). For instance, a 
convicted cyberstalker in the United States named Shawn Sayer posted sexually 
explicit videos of his ex-fiancé to porn sites under her actual name, along with a 


Box 9.1 Vickie Newton and Negative Outcomes 
of Cyberstalking 


Cyberstalking: Woman Sentenced for Harassing Victim on 
Social Media 


https:// www.tbi.gov/news/stories/woman-sentenced-for-cyberstalking 


The messages were relentless. A California woman couldn’t escape the 
barrage of malicious texts, phone calls, and social media posts origi- 
nating from a mysterious individual with whom she had no previous 


connection. 


This article provides insights into the experiences of an obsession-based 
stalker who went from being a criminal justice student in University to a 


convicted felon because of her fixation on a woman. 
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Facebook account that reposted the videos (Hoey, 2012). He would then con- 
tact individuals who liked the content and arranged meetings with the men at 
her home in order to have sex. The various men who showed up at the victim’s 
home were then confused when she had no idea why they were there and made 
her fear that she would be raped or otherwise hurt. 

A cyberstalker, however, does not have to engage in real-world stalking and 
vice versa (Bocij, 2004; Nobles et al., 2014). The anonymity afforded by the 
Internet coupled with the volume of information available about individuals via 
social network sites and other self-generated content allows people to engage in 
stalking behaviors with ease. In addition, cyberstalkers need not know their 
victims, which is in contrast to real-world stalking. Instead, a prospective stalker 
can identify any random target through Google searches or simple online inter- 
actions. For instance, a California-based security operations supervisor for eBay, 
named Philip Cooke, was arrested and is on trial at the federal level for cyber- 
stalking a couple in Natick, Massachusetts (Hook, 2020). The couple published 
an online newsletter that was critical of eBay’s practices, and Cooke took it 
upon himself to send threating messages and packages to the couple, including 
a fetal pig and books on surviving the loss of a spouse. As a result, the threats 
posed by cyberstalkers can be just as serious as those in the real world and can 
produce the same response in victims as those found in traditional stalking activ- 
ities offline (Bocij, 2004; Worsley et al., 2017). 


For an example of a stranger-driven case of cyberstalking, go 
online to: https://www.masslive.com/boston/2020/10/former-police- 
captain-philip-cooke-pleads-guilty-to-cyberstalking-massachusetts- 


couple-employees-sent-victims-bloody-pig-mask-insects-and-porn.html 


Rates of Harassment and Stalking 


In light of the challenges inherent in differentiating between harassment and 
stalking, it is important to attempt to identify the rates of these offenses in 
the general population. One of the best estimates of online harassment in the 
United States comes from the Youth Internet Safety Survey (YISS) spon- 
sored by the National Center for Missing and Exploited Children (Jones et al., 
2012). This study of youths aged 10-17 years who regularly used the Internet 
was administered in three waves, the first in 2000, the second in 2005, and the 


third in 2010. There was an increase in online harassment victimization across 
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the three time periods. First, the proportion of youth who reported online 
harassment, as defined by receiving threats or offensive comments either sent 
to them or posted about them online for others to see, grew from 6 percent 
in 2000 to 9 percent in 2005 to 11 percent in 2010. Within these samples, the 
number of youths who reported distress, as measured by fear or being upset 
because of the harassment, increased from 3 percent in 2000 and 2005 to 5 per- 
cent in 2010. In addition, the proportion of youths who experienced repeated 
harassment increased from 2 percent in 2000 to 4 percent in 2005 to 5 percent 
in 2010 (Jones et al., 2012). 

The YISS also captures youth engaging in harassment against other children. 
These figures showed an increase in the proportion of youth engaging in har- 
assment within each wave (Jones et al., 2012). Specifically, those kids making 
rude or nasty comments online increased from 14 percent in 2000 to 28 percent 
in 2005 to 40 percent in 2010. A similar increase was evident in youths who 
used online spaces to embarrass or harass someone out of anger or spite. This 
rate increased from 1 percent in 2000 to 9 percent in 2005 to 10 percent in 
2010. These figures illustrate that the prevalence of harassment has increased for 
modern youth. 

Similar responses are noted in populations of college students using assess- 
ments of their experiences over a 12-month period, though it again depends 
largely on the population sampled. In a study of New Hampshire college 
students, Finn (2004) found that 10-15 percent of students reported receiv- 
ing harassing messages via email or instant messaging, and more than half 
received unsolicited pornography. Similarly, Holt and Bossler (2009) found 
that 18.9 percent of a convenience sample of college students at a southeastern 
university received unwanted emails or instant messages. Also, in a random 
sample of students from a single university, Marcum et al. (2010) found that 
harassment victimization ranged from 6.5 to 34.9 percent, depending on the 
type of harassment reported. 

There are also a small number of sources available to understand the scope of 
cyberstalking. One of the few truly nationally representative studies assessing 
cyberstalking in the United States comes from the National Crime Victimi- 
zation Survey-Supplemental Survey (NCVS-SS; Catalano, 2012). Using a 
population of 65,270 people collected in 2008, the survey found that 26.1 per- 
cent of those who reported being stalked were sent emails that made them feel 
fear. The Measuring Cyberabuse Survey administered by Data and Society 


found that 8 percent of US Internet users 15 years or older had been contacted 


online in a way that made them feel unsafe or afraid at some point in their lives 
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(Lenhart et al., 2016). Similarly, the Pew Research Center found recently that 
7 percent of adults have been stalked online (Duggan, 2017). When examining 
college students, Reyns et al. (2012) found that up to 40 percent of college stu- 
dents have been cyberstalked at some point over their lives, if the definition of 
cyberstalking did not include feeling fear. If fear needed to be experienced for it 
to be considered cyberstalking, Reyns and Fisher (2018) found that only 2 per- 


cent of students were cyberstalked over the previous academic year. 


For more on the NCVS study, go online to: www.bjs.gov/content/ 
pub/pdf/svus_rev.pdf 


In Canada, statistics suggest that 7 percent of all adults received threatening 
or aggressive emails and instant messages (Perreault, 2013). The majority of 
these messages come from strangers (46 percent of male victims; 34 percent of 
female victims), or acquaintances (21 percent of male victims; 15 percent of 
female victims; Perreault, 2013). A recent survey conducted by the National 
Centre for Cyberstalking Research (2011) in the United Kingdom found 
that approximately 75 percent of a sample of 353 people experienced some 
form of online harassment. The majority of messages were sent via social net- 
working sites (62.1 percent males; 63.1 percent female) or through personal 
email accounts (55.8 percent males/56.4 percent females). There are, however, 
no current national statistics collected within the United Kingdom to assess 
arrest rates or victim reports of cyberstalking victimization (National Centre for 
Cyberstalking Research, 2011). 


Understanding Victims’ Experiences of Cyber-Violence 


It is clear that many aggressive and hurtful comments can be sent through CMCs 
and that many people are victimized as a result. The responses that victims have 
to bullying, harassment, and stalking, however, are quite varied. A proportion 
of individuals are able to brush off their experience and move forward without 
taking the comments of their harasser or stalker to heart. However, some expe- 
rience emotional or physical harm, and a very small proportion even go so far 
as to seriously contemplate suicide (Baiden & Tadeo, 2020; Ybarra & Mitchell, 
2004). To better understand the victim response, we will examine each form of 


cyber-violence in turn. 


Cyberbullying and Cyberstalking 


Cyberbullying produces effects often mirroring reactions to physical bul- 
lying. Victims of cyberbullying often exhibit symptoms of depression, stress, 
and anxiety (US Department of Education, 2019; Ybarra & Mitchell, 2004). 
Social withdrawal and school failure can also occur, with 19.4 percent of 
youth in the United States reporting negative impacts on their school work 
as a result of bullying (US Department of Education, 2019). These responses 
are more likely if cyberbullying incidents occur in tandem with offline bul- 
lying. Young people may begin to skip school, or be truant, in order to 
try to avoid persistent or repeated victimization (Katzer et al., 2009; Ybarra 
et al., 2007). In fact, data from a nationally representative survey of youth 
suggests that 15.2 percent of kids who were bullied avoided certain places 
in their school, while 4.5 percent avoided school activities and 4.8 percent 
skipped school entirely (US Department of Education, 2019). Truancy may 
also occur because the victim feels that school is no longer a safe place to 
be, particularly, when they experience substantive bullying both online and 
offline (Varjas et al., 2009). 

Some youth may also skip school to avoid shame, embarrassment, and stigma 
associated with their bullying experiences on or offline. In fact, Kowalski et al. 
(2008) argue that the negative impact of cyberbullying can even be worse than 
physical bullying experiences, due to the persistent nature of their victimization. 
A youth may be shoved, hit, or called names in the hallways at school, but they 
can escape that experience once they leave the campus. In contrast, cyberbul- 
lying is much more difficult to avoid, as bullying messages can be sent contin- 
uously to the victim, be reposted by others, and can also reappear, making the 
victim feel helpless (Baiden & Tadeo, 2020; Campbell, 2005; Li, 2006). 

One of the most noteworthy examples of the impact of cyberbullying on 
youth depression and behavior is the experience of Ghyslain Raza, also known 
as the “Star Wars Kid.” The 15-year-old Raza, a high school student in 
Trois-Rivieres, Quebec, Canada, made a video of himself swinging a golf ball 
retriever (Wei, 2010). His movements were similar to the style of Darth Maul, 
the dual-lightsaber-wielding Sith Lord from Star Wars: Episode 1. Raza had set 
up a camcorder to make a tape of himself for a school project in the fall of 2002 
and filmed himself with no intention of others seeing his “lightsaber” strikes. 
However, one of his classmates found the tape in April 2003 and showed it to a 
friend, who then converted the tape to a digital format. The two boys then dis- 
tributed the video via email to friends, and it began to spread across the student 


body. One student even posted the video to a peer-to-peer file sharing site with 


the title Jackass_starwars_funny.wmv, where it became a viral phenomenon. 
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The mental anguish young Raza experienced was quite severe because so 
many people saw the video and constantly made fun of him for his activities. 
He became severely depressed, dropped out of school, and was institution- 
alized for psychological treatment by the end of 2003 (Wei, 2010). Raza’s 
family sued the families of four of the boys who discovered the video and 
posted it online for damages and emotional harm, which led to an out-of-court 
settlement for an undisclosed amount. The video, however, has been seen over 
1 billion times on various online media outlets since it was first posted. Thus, 
the global spread of hurtful content can have substantial impact on a victim’s 
emotional well-being. 

In addition to school absences and emotional harm, some victims of cyber- 
bullying report having suicidal thoughts, or suicidal ideation, as a result of their 
experiences (Baiden & Tadeo, 2020; Hinduja & Patchin, 2008; Klomek et al., 
2008; Li, 2006). Individuals who experience suicidal ideation often have neg- 
ative attitudes generally, which may be a long-term consequence of bullying 
experiences on and offline (Arseneault et al., 2006; Baiden & Tadeo, 2020; 
Beran & Li, 2007; Nansel et al., 2001). Over the last few years, there has been a 
substantial amount of media attention around cyberbullying and suicide. Much 
of this stems from the seminal Megan Meier case discussed earlier and the mul- 
tiple incidents of cyberbullying victimization leading to suicides around the 
world (see Box 9.2 for details on the Audrie Pott suicide case). Thus, the con- 


nection between virtual and real experiences must be considered further. 


Box 9.2. The Unfortunate Suicides Resulting 
from Bullying 


Suicide Has Only Gotten Younger. These Two Families, 
Bonded by Loss, Are Taking Action 


https://www.usatoday.com/story/news/health/2020/03/07/youth- 
teenage-suicide-after-deaths-reno-nevada-parents-fight/4955635002/ 


The evidence from cross-sectional, longitudinal and empirical studies 
implicates smartphone and social media use in the increase in mental 
distress, self-injurious behaviour and suicidality among youth. 


This article provides an overview of the harm that can result from smart- 
phone use and cyberbullying incidents broadly. 


Cyberbullying and Cyberstalking 


Victims of cyberstalking and online harassment may report similar experiences 
to those of bullying because of the persistent messages and threats they receive. 
In particular, victims typically report feeling powerless, shamed, and socially iso- 
lated from others (Ashcroft, 2001; Blauuw et al., 2002; Reyns & Fissel, 2020). 
Anxiety and depression may also be a common outcome due to concerns about 
actualizations of threats or the worry over receiving more messages. 

Some victims of bullying, stalking, and harassment may begin to change their 
behaviors as a response to their victimization, deciding to either take steps to 
defend themselves or reduce their risk of further victimization. For instance, evi- 
dence from the NCVS supplemental study on bullying found that 3.9 percent of 
youths who were bullied carried a weapon to school, and 12 percent engaged in 
fights with others over their experiences (US Department of Education, 2019). 
A comparative analysis by Sheridan and Grant (2007) found no differences in 
the behavioral patterns of victims of either traditional or cyberstalking. Victims 
of traditional stalking report changing their behavior patterns in order to reduce 
the risk of victimization. Some also change their address, phone number, or 
email address in order to help reduce their ability to be identified (Baum et al., 
2009; Nobles et al., 2012). 

A small proportion of victims also begin to carry a defense weapon, like 
pepper spray (Nobles et al., 2012; Wilcox et al., 2007). Approximately 
10-15 percent of victims either stop spending time around friends or fam- 
ily in order to minimize their risk of exposure, or they begin to stay with 
loved ones in order to increase their feelings of personal safety and pro- 
tection (Nobles et al., 2012). Victims who felt higher degrees of fear were 
more likely to engage in a higher number of these self-protective behaviors 
(Nobles et al., 2012). 


Reporting Online Bullying, Harassment, and Stalking 


Though there are substantive psychological and behavioral consequences for 
victims of bullying, harassment, and stalking, it appears that very few report 
these incidents to agencies or individuals who can help them. While many 
researchers examine the prevalence of cyberbullying or traditional bullying, few 
have considered how often these behaviors are reported. One of the only stud- 
ies to look at reporting with a nationally representative sample suggests that 
approximately 75 percent of kids harassed told someone about the incident, 


though they primarily told friends rather than parents (Priebe et al., 2013). Sim- 


ilarly, the NCVS supplemental survey on bullying found that 45.6 percent of 
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youths contacted a teacher or school official about their experience (US Depart- 
ment of Education, 2019). 

The lack of reporting to parents or authority figures may be a consequence 
of concerns among youth that they may lose access to the technology that ena- 
bles cyberbullying (Hinduja & Patchin, 2009; Marcum, 2010). In fact, youth 
who experience cyberbullying were likely to have had a conversation with their 
parent(s) about harassment and the risks associated with online communication, 
though it did not affect their likelihood of reporting the incident (Priebe et al., 
2013). A logical parental response may be to take away their child’s cell phone 
or perhaps limit the amount of time that they can spend online. Such a response 
may be undesirable, especially for a teenager who only recently acquired a cell 
phone or is used to having unrestricted access to technology. 

Instead, many youths who are cyberbullied tend to simply delete the mes- 
sages they receive, ignore it when possible, or block the sender in order to 
reduce their exposure (Parris et al., 2012; Priebe et al., 2013). In fact, most 
youth only report the incident if they feel it is severe (Holtfeld & Grabe, 2012; 
Slonje et al., 2013), such as if it lasts for several days or produces a severe emo- 
tional response (Priebe et al., 2013). Limited research on the topic suggests 
that reporting cyberbullying experiences to parents decreases as youths age 
(McQuade et al., 2009; Slonje et al., 2013). Instead, teens are more likely to 
report cyberbullying experiences to their peers as a coping strategy. In addition, 
parents do not appear to report instances of cyberbullying to police due to per- 
ceptions that they will not be able to handle the case due to limited laws (Hin- 
duja & Patchin, 2009; McQuade et al., 2009). Similarly, there is some evidence 
that school administrators may not want to contact police due to concerns over 
how the incident will impact the school’s reputation (McQuade et al., 2009). 

Similar issues are evident in the number of cyberstalking or harassment 
cases reported to law enforcement agencies. Statistics on victim-reporting 
from the NCVS suggest that approximately 42 percent of female stalking vic- 
tims and 14 percent of female harassment victims contacted police (Catalano, 
2012). The data reported for this study were amended recently due to errors 
in the way in which some acts of stalking and harassment were coded. As a 
result, it is not clear how many cases were actually made known to police 
(Catalano, 2012). Using information from a nationally representative sample 
of female college students, Fisher and her colleagues (2000) found that less 
than 4 percent of women sought a restraining order against their stalker and 
less than 2 percent filed criminal charges. More recently, Fissel (2021) found 
that only 18 percent of cyberstalking victims reported their victimization to 
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law enforcement. Though there is less information available on cyberstalking 
and harassment victim-reporting internationally, evidence from the Canadian 
Uniform Crime Reporting (UCR) Survey found that the majority (70 per- 
cent) of victims reporting intimidation or harassment online were female 
(Perreault, 2013). 

Victims are more likely to report their cyberstalking victimization to law 
enforcement when the cyberstalking lasted longer and when the victim felt 
threatened, lost time at work or school, or suffered financial consequences (Fis- 
sel 2021; Reyns & Englebrecht, 2010). The lack of reporting for most stalking 
and harassment cases may be due to a perception among victims that their case 
will not be taken seriously by law enforcement (Nobles et al., 2012). Victims 
of crimes like sexual assault or domestic violence often feel that their experi- 
ence is not serious enough to report to police or will not be viewed as real 
by officers. In much the same way, victims of stalking and harassment cases, 
online or offline, may assume that officers will not be inclined to make a report 
or investigate. As a result, victims may feel abandoned by the criminal justice 
system and may proactively change behaviors that are perceived to put them 
at risk for further harassment. In fact, research suggests that victims who feel 
greater levels of fear because of the incident and perceive that they are being 
stalked are more likely to engage in multiple self-protective behaviors (Nobles 
et al., 2012). 


Regulating Cyberbullying 


The prevalence of these various person-based online crimes requires substantive 
criminal laws in order to prosecute individuals who choose to engage in these 
behaviors. The amounts of legislative effort placed on these crimes, however, 
are mixed, depending on the offense. For instance, there are no federal statutes 
in the United States concerning bullying or cyberbullying. This is not a sub- 
stantial issue given that most instances of cyberbullying involve people living in 
close physical proximity to one another. 

Some advocates called for the development of new federal laws after the 
death of Megan Meier and the subsequent failure to successfully prosecute this 
case. Specifically, Lori Drew, one of the two women responsible for the cre- 
ation of the false MySpace page and comments that led to Meier’s suicide, 
was charged in federal court for violations of the Computer Fraud and Abuse 
Act (Steinhauer, 2008; see Box 9.3 for detail on the applicability of these stat- 


utes). She was charged with three felony counts of computer fraud and one 
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Box 9.3. The Computer Fraud and Abuse Act 
Applied to Megan Meier's Death 


The Computer Fraud Act: Bending a Law to 
Fit a Notorious Case 


www.ecommercetimes.com/story/65424.html 


Officials were determined to punish Lori Drew for something — the 
suicide of young Megan Meier seemed a direct consequence of her 
actions ... Drew ultimately was convicted of three misdemeanors, but 
prosecutors had to stretch a law beyond its original intent in order to 


win that outcome. 


This article explains how Lori Drew was prosecuted under CFA statutes in 
the United States, and why the case was fraught with difficulty. The case 
demonstrates why cybercrime law must be developed with flexibility and 


prospective application as technologies change. 


conspiracy count under the assumption that she violated MySpace’s terms of 
service, which included the stipulation that users could not create fictitious 
accounts. The jury found Drew guilty on these three charges, though they 
were reduced to misdemeanor counts, and the conspiracy charge was thrown 
out (Steinhauer, 2008). The three charges of computer fraud, however, 
were also thrown out and Drew was fully acquitted in July 2009 after the 
judge argued against the use of this statute, which is normally reserved to 
prosecute computer hackers and data thieves (see Chapters 3 and 6 for details 
on the statutes; Zetter, 2009). 

In the wake of the failed prosecution and debate over the utility of existing 
legislation, the Meier family began to pursue the creation of new laws to pro- 
tect victims and seek justice against offenders at the federal level. This led to the 
development of US HR1966, called the Megan Meier Cyberbullying Pre- 
vention Act, which was proposed in 2009. This legislation would have made it 
illegal for anyone to use CMC “to coerce, intimidate, harass or cause substantial 
emotional distress to a person,” or use electronic resources to “support severe, 
repeated, and hostile behavior” (Hinduja & Patchin, 2013, p. 17). The proposed 
legislation would have allowed for either fines or a two-year prison sentence. 
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Box 9.4 The Failure of the Megan Meier 
Bullying Legislation 


Cyberbullying Bill Gets Chilly Reception 


www.wired.com/threatlevel/2009/09/cyberbullyingbill/ 


Proposed legislation demanding up to two years in prison for electronic 
speech meant to “coerce, intimidate, harass or cause substantial emo- 
tional distress to a person” was met with little enthusiasm by a House 


subcommittee on Wednesday. 


This article provides an overview of the failures in creating legislation to 
outlaw cyberbullying at the federal level in the United States. The political 
and legal challenges that affect the adoption of legislation are both interest- 


ing and divisive and are further elaborated in this work. 


This resolution was not successfully passed into law (see Box 9.4 for details on 
the failure of this legislation). 

Though the lack of federal legislation on bullying is bothersome, 49 states 
(with Montana as the sole hold-out) and the District of Columbia have laws in 
place concerning bullying and require that schools have policies in place con- 
cerning bullying behaviors (Hinduja & Patchin, 2016). In addition, 48 states 
have language in their legislation recognizing the term cyberbullying or online 
harassment (Hinduja & Patchin, 2016). Forty-four states and the District of 
Columbia provide criminal sanctions for bullying behaviors (Hinduja & Patchin, 
2016). Virtually all states (45) require schools to provide some sort of punish- 
ment for bullying so as to affect the behaviors of the bully and give some retri- 
bution for victims. 

Seventeen states and the District of Columbia also include language indi- 
cating that bullying can occur off-campus and can still be sanctioned (Hinduja 
& Patchin, 2016). Some argue that it may be inappropriate to extend school 
jurisdictions past the school grounds, as parents should be responsible for man- 
aging youth behavior. Given the impact that bullying victimization can have on 
students’ academic performance, attendance, and mental health generally, some 


argue it is necessary for schools to extend protection to students and sanction 


bullies who engage in harmful communications while off-campus. 
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The complexities inherent in legislating against bullying are also evident around 
the world. Singapore recently criminalized online harassment and bullying behaviors 
under the Protection From Harassment Act of 2014, which includes the (1) use of 
any threatening, abusive, or insulting words or behavior, or (2) making threats, abu- 
sive, or insulting communication that can be seen, heard, or perceived by another 
person to cause harassment, alarm or distress. There is, however, no legislation at 
the national level in Canada, Australia, or the United Kingdom. These offenses may 
be prosecuted under other existing laws, though nations may choose to develop 
cyberbullying-specific legislation in the near future as public outcry increases. 


Regulating Online Harassment and Stalking 


Unlike cyberbullying, many nations have statutes that may be applied to instances 
of threatening or harassing communications. Under Title 47 of the US Criminal 
Code, Section 223(A) defines six acts involving a telecommunications device in 
interstate or foreign communications as illegal, including: 


1 Making, creating, soliciting, or initiating, the transmission of requests or 
proposals that are obscene or involve child pornography with the intent to 
annoy, threaten, abuse, or harass; 

2 Doing these same activities knowing that the recipient is under the age of 
18 years; 

3 Using a telecommunications device without disclosing your identity with the 
intent to annoy, abuse, threaten, or harass an individual at the called number; 

4 Causing another person’s phone to ring continuously to harass or annoy that 
person; 

5 Making repeated calls designed solely to harass that person; 

6 Knowingly permitting a telecommunications device or facility to be used for 
any of these activities. 


While some of these behaviors may not seem criminal, it is important to recog- 
nize that a stalker or harasser can easily automate the process of calling a phone 
number over and over again in order to annoy the recipient. As a result, the 
outcome of the contact is just as pertinent as the behavior itself. In addition, 
the phrase “telecommunications device” can be applied to a cellular phone or 
even voice over IP (VOIP) telephony. Thus, this law does not pertain solely 
to landline phones. The punishment for these activities includes fines and/or 


imprisonment for up to two years. 
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In addition, Section 875 of Title 18 of federal code makes it a crime to 
transmit any of the following four communications via interstate or foreign 


commerce methods, including postal mail, telephone, or the Internet: 


1 A demand for a ransom for the release of a kidnapped person 
2 A message with the intent to extort money 
3 A threat to injure a person 


4 A threat to damage property 


The punishments for these offenses vary, including a fine and two years in 
prison for threats to property or extortion, as well as up to 20 years in prison for 
threats of kidnapping and physical injury. 

Additionally, Code 18 Section 2261A of the federal law makes it illegal for 
any person to use an interactive computer service or any facility of interstate 
or foreign commerce in order to engage in activities that cause a person to feel 
substantial emotional distress or place that person in reasonable fear of death or 
serious bodily injury to themselves or their family (Brenner, 2011). In addition, 
this statute makes it illegal to travel across state lines with the intent to kill, 
injure, harass, or intimidate another person and place them or their family in 
fear of death or serious bodily injury (Brenner, 2011). 

The penalties for these behaviors involve a fine and/or five years in prison if 
the individual simply makes the threat. If serious bodily injury resulted from the 
offender using a weapon, they may receive up to ten years in prison. Should a 
victim be permanently disfigured or receive a life-threatening injury, then the 
offender may receive up to 20 years in prison. Finally, should the victim die as a 
result of the offender’s actions in relation to threats made, they may receive up 
to a life sentence for their actions (Brenner, 2011). 

It is important to note that these two statues require that a credible threat is 
made to either a person or property. The need for a so-called true threat stems 
from the case of United States v. Alkhabaz, involving a student at the Univer- 
sity of Michigan named Abraham Jacob Alkhabaz, or Jake Baker (Brenner, 
2011). He wrote graphic stories describing acts of rape, torture, and murder and 
posted them to a Usenet group starting in October 1994. In one of these stories, 
he described performing acts of rape and eventually killing a woman who had 
the same name as one of his female classmates. His posts led the subject of the 
story to complain to the University of Michigan police, who investigated and 


brought in the Federal Bureau of Investigation (FBI) due to the interstate nature 


of online communications. Baker was arrested on six counts of communicating 
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threats to kidnap or injure a person, though only one of those counts involved 
the woman who was the subject of the story. The case was dismissed by the 
judge due to a lack of evidence that Baker would actually act out the fantasies 
described in his writings. The government appealed the case to a higher court, 
but the decision was upheld as the lack of evidence that Baker would act on the 
threat demonstrated a lack of a “true threat” to any individual (Brenner, 2011). 
Thus, this case established the need for the communications to generate actual 
fear or concern for safety. 


For more on the Alkhabaz case, go online to: www.casebriefs. 
com/blog/law/criminal-law/criminal-law-keyed-to-dressler/inchoate- 
offenses/united-states-v-alkhabaz/ 


At the state level, virtually all states have legislation pertaining to either 
cyberstalking or harassment. There is some variation as to the type of laws in 
place, as some states have legislation against both offenses (Brenner, 2011). 
Since the passage of California’s 1990 anti-stalking statute, every state has 
passed anti-stalking statutes that can be used to prosecute cases of cyber- 
stalking (Reyns & Fissel, 2020). The statutes recognize the use of CMCs 
to annoy, harass, or torment the victim and are differentially located with 
state criminal codes. For instance, Arizona, Utah, and Virginia place online 
harassment under its own statute, while Delaware, Missouri, and New York 
incorporate these crimes under existing harassment and stalking legislation 
(Brenner, 2011). The punishments for both cyberstalking and harassing com- 
munications range from misdemeanors to felonies, depending on the severity 
of the offense. 

It is important to note that most nations do not technically define cyber- 
stalking in their actual legislation. In fact, there is no language in the Euro- 
pean Convention of Cybercrime pertaining to stalking or harassment 
(Brenner, 2011). Instead, cyberstalking behaviors are subsumed under exist- 
ing legislation regarding stalking generally. Australia, for instance, criminal- 
ized cyberstalking through the Stalking Amendment Act of 1999 (Boci, 
2004). This statute recognizes that contacting a person in any way, including 
phone, fax, email, or “through the use of any technology,” to cause the vic- 
tim apprehension or fear to their detriment constitutes unlawful stalking. 
Canadian law allows for prosecutions under Section 264 of the Criminal 
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Code for stalking offenses involving repeated communications directly or 
indirectly with the victim or anyone that they know and/or engaging in 
threatening conduct toward their victim or family members (Department of 
Justice Canada, 2012). The punishment for such a violation is up to ten years 


in prison if convicted. 


For more on the growth of cross-national cyberstalking and harass- 
ment cases, go online to: http://www.newsweek.com/2014/08/22/ 
how-law-standing-cyberstalking-264251.html 


Similarly, England and Wales have multiple laws related to stalking and har- 
assing communications that can all be extended to online environments. First is 
the Protection from Harassment Act 1997 (c40), which criminalized stalk- 
ing and bullying in professional settings. This act prohibits conduct that consti- 
tutes harassment of others, assuming that a reasonable person would believe the 
behavior to be harassing (Crown Prosecution Service, 2013). Violations of this 
statute can be punishable by up to six months of incarceration and fines when 
considered appropriate by a judge. 

Section 4 of the Act criminalizes the act of putting others in fear of violence, 
defined as any course of conduct that would cause “another to fear, on at least 
two occasions, that violence will be used against him is guilty of an offence if 
he knows or ought to know that his course of conduct will cause the other 
so to fear on each of those occasions” (Crown Prosecution Service, 2013). In 
addition, the offender must know that their actions will cause their prospec- 
tive victim to fear that they will experience violence. Thus, the offender must 
know that they are actively affecting the behavior and demeanor of their victim. 
Anyone found guilty of such an act could receive up to five years in prison and 
receive fines based on judicial discretion. 

This Act was revised through the introduction of the Protection of Free- 
doms Act 2012 to include language specifically related to stalking and incor- 
porate aspects of technology into law (Crown Prosecution Service, 2013). 
Specifically, it added new language to Section 2 (regarding stalking to harass) 
and Section 4 (about stalking to cause fear). In Section 2, stalking is defined as 
harassment of a person or behaviors associated with stalking, including following 
a person, contacting them by any means, monitoring their victim through any 


form of electronic communications or the Internet, and publishing materials or 
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statements about a person or claiming a comment originates from another per- 
son (Crown Prosecution Service, 2013). Anyone found guilty of such an offense 
can be imprisoned for no more than one year and/or receive a fine. Section 4 
now defines stalking where the victim feels fear as any act that leads the target 
to fear they will be violently victimized or cause that person fear or distress that 
affects their day-to-day behaviors on at least two occasions (Crown Prosecution 
Service, 2013). Individuals found guilty of this activity can be imprisoned for up 
to five years and/or receive a fine. 

In addition, the Malicious Communications Act 1988 enables individ- 
uals to be prosecuted for sending messages to another person for the purpose 
of causing fear or anxiety (Crown Prosecution Service, 2013). This Act was 
revised in 2001 to include electronic communications of any kind that convey a 
threat, indecent or offensive content, or information that is false. Any violation 
of this Act is punishable by no more than six months imprisonment and a fine. 

India also criminalized stalking and cyberstalking under the Criminal 
Amendment Ordinance, 2013, under Section 354D, recognizing any attempt 
to (1) follow, (2) contact, or (3) attempt to contact a person despite their clear 
indications of disinterest, or (4) monitor a person’s Internet, email or electronic 
communication, or (5) physically watch or spy on a person (Halder, 2013) These 
actions must lead a person to feeling fear of violence, serious alarm or distress, 
or affects their mental state. Individuals found guilty of stalking can be fined and 
may be imprisoned for one to three years (Halder, 2013). 


Enforcing Cyber-Violence Laws and Norms 


As noted earlier in the chapter, cases of cyberbullying, harassment, and stalk- 
ing are not necessarily reported to law enforcement agencies either due to 
embarrassment on the part of victims or because the victim feels that the 
case may not be investigated or taken seriously by police. The lack of federal 
laws in the United States that can be used to pursue legal action means that 
the various federal agencies discussed throughout the book are not normally 
involved with these types of crime. The FBI, however, may investigate cases 
of threats or stalking, but only if it involves a substantive threat that crosses 
state lines. 

Instead, most incidents of bullying, stalking, and harassment in the United 
States and elsewhere are handled by local or state law enforcement agencies 
due to the potential for offenders and victims to live in close proximity to 
one another. In fact, a sample of 358 state and local law enforcement agencies 
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indicated that 71.8 percent of them investigated harassment cases (Holt et al., 
2010). Despite the preference for local agencies to investigate, there are no 
immediate statistics available for the reported rates of cyberbullying, harassment, 
or stalking in official statistics provided by law enforcement agencies. 

This is largely the result of the fact that these items are not currently 
included in the existing reporting resources provided in the Uniform Crime 
Report (UCR). Though there is some potential information available con- 
cerning the incidence of intimidation involving computers in the National 
Incident-Based Reporting System (NIBRS) (Addington, 2013), the data 
is limited due to the fact that only 32 states currently provide information to 
NIBRS, which is much lower than that of the UCR. As a result, it is unclear 
how frequently these offenses are reported to the police or cleared by arrest 
(Addington, 2013). 

Though local law enforcement can serve as a critical investigative resource 
for the investigation of certain offenses, some victims may not choose to contact 
police because they are not sure if what they are experiencing may even be 
legally defined as stalking or harassment. To that end, there are several not-for- 
profit groups that operate to assist victims online. In the United Kingdom and 
United States, the group Cybersmile is well known for its role in educating 
and assisting victims of cyberbullying. This charitable organization was founded 
in 2010 to educate the public on the harm caused by cyberbullying through 
service programs in schools and neighborhoods (Cybersmile, n.d.). Cybersmile 
offers educational workshops for the public on cybersecurity and cyberbullying 
that are provided by community outreach workers affiliated with the group. In 
addition, they offer a helpline for bullying victims to help connect them with 
pertinent community services and counseling providers in their area. The group 
also advertises unique academic research publications related to cyberbullying 
victimization in order to communicate these issues to the public. Finally, Cyber- 
smile organizes an annual Stop Cyberbullying Day designed to draw attention 
to the problem through community outreach events and fundraising to aid the 


organization (Cybersmile, n.d.). 


For more information on organizations that aid victims, go =e 


online to: 


1. www.cybersmile.org/, 
2. https://www.stalkingawareness.org/ 
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The Stalking Prevention, Awareness, and Resource Center (SPARC) 
serves a similar role in the United States, as they offer education and resources 
to assist stalking victims (SPARC, 2020). The Center is supported by funding 
from the Office on Violence Against Women (OVW) and provides trainings 
for police, prosecutors, probation, and parole officers regarding the unique 
dynamics that drive stalking victimization and offending. SPARC also offers 
tools for victim service agencies to improve their capacity to aid stalking vic- 
tims (SPARC, 2020). They also offer resources for trainings for the general 
public to improve their understanding of the risks of stalking, such as webinars, 
printable brochures, and other materials to improve people’s general knowl- 
edge of this crime. 

As a result of the problems that law enforcement and nonprofit organiza- 
tions have in helping individuals after they have been victimized, researchers, 
advocacy groups, and even schools emphasize the need for individuals to take 
control of managing their personal safety as a key tool in reducing their risk of 
bullying, stalking, and harassment. This may be due to the overwhelming role 
of individual choice in online spaces. For instance, no one is required to have 
an account on a social networking site like Facebook, Instagram, TikTok, or 
Twitter. There are also myriad options for encrypted applications and services 
that connect people into hidden networks. 

Certainly, people are able to stay current with their friends and keep abreast 
of current events through these sites, but it is not a necessity. If they establish 
an account, they decide how much information to post about themselves and 
in what way they accept or maintain friends. Should that person feel dissatisfied 
with a post or an exchange with another person, they have the power to delete 
those messages. In fact, one of the top “tools” both Facebook and Instagram 
provides for users to maintain their security is the ability to unfriend someone, 
block individuals, and use the “Report” button in order to bring that content to 
the attention of their internal security teams. It is not clear how many reported 
incidents are investigated. For example, Instagram notes (Instagram, n. d.): 


If you have an Instagram account, you can report abuse, spam or anything 
else that doesn’t follow our Community Guidelines. Keep in mind that your 
report is anonymous, except if you’re reporting an intellectual property 


infringement. The account you reported won’t see who reported them. 


Since various tools are readily available, it makes sense to argue that personal 
responsibility and accountability for safety should be encouraged. The challenge 
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lies in clearly communicating these issues to young people and those with less 
computer skill and online experience. An excellent example of security in action 
can be seen in the creation and use of email accounts. Various services provide 
free email accounts, such as Hotmail, Yahoo, and Gmail. When a person sets 
up their account, it is important to avoid using either their real name or a gen- 
dered term in the address. It may be easier to determine a person’s identity if 
their email address or social media name is Janelovesmovies4419 than if it were 
something more neutral, like moviefan. Similarly, the use of sexual or explicit 
language in your email address or social networking profile may also increase 
the potential to receive unsolicited emails. 

In order to curb instances of bullying and harassment among youth, many 
security experts recommend that parents place computers in public spaces 
within their home, like the kitchen or living room, and require kids to have 
some parental supervision while online. The ability to quickly observe the kinds 
of websites kids visit and periodically monitor their online activities could help 
to reduce the number of questionable websites to which they are exposed. 
However, cheap access to lightweight portable Internet-enabled devices, like 
iPods, iPads, Kindles, and laptops, makes it difficult to ensure that kids are using 
devices in close proximity to parents. Some also argue that parents should install 
filtering software to manage the kinds of websites their kids can visit. These 
devices can, however, be difficult for parents with little technological skill to 
set up or properly configure to ensure maximum effectiveness. Recent research 
suggests kids are able to easily circumvent these protective software programs 
or use other wireless Internet access points in order to avoid these devices alto- 
gether (Bossler et al., 2012; Jones et al., 2012). Even if a parent is able to prop- 
erly configure software at home, it does not matter once their child goes to 
school or to a friend’s house, where they have less control over their children’s 
Internet activities and access. 

Because of the inherent difficulty in managing the online experiences 
of young people, one of the most important steps that parents and schools 
can take is to begin a frank and honest conversation about Internet use (see 
Box 9.5 for Facebook’s suggestions for parents). Understanding how and why 
young people are using technology is vital to keep pace with their changing 
online habits. Furthermore, it is important to recognize that adults can and 
should play a role in the socialization of youth into acceptable online behav- 
iors. Parents and guardians teach kids what is right and wrong in the physical 


world, and that same experience must play out in online spaces. Admittedly, 


young people are exposed to millions of people around the world through 
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Box 9.5 Facebook Security Suggestions 
for Parents 


Parenting Tips 


https://www.facebook.com/safety/parents/tips 


Let your child know that the same rules apply online as apply offline. If 
it’s not something you want others to do to you, don’t do it to others. 
Just as you might tell your child to look both ways before crossing the 
street or to wear a helmet while riding their bike, teach them to think 


before they share online. 


This article provides Facebook’s suggestions on how parents and 
teens should work together to be safe while online. Many of these 
ideas are not novel but require a clear line of communication between 
adults and children and an ability to respect one another’s privacy and 


responsibilities. 


the Internet, and not all of those people will be on their best behavior at all 
times. Thus, it is critical that someone be able to explain and give context 
to why certain activities may happen but should not be performed by their 
child. For instance, just because friends post their class schedule or where they 
will be at a specific time of day on Facebook does not mean that they have 


to do it as well. 


Summary 


In reviewing our knowledge of bullying, harassment, and stalking, it is clear 
that this problem will not go away. Technology has made it incredibly easy 
for individuals to send hurtful or threatening communications online, and the 
perception that victims may not be able to report their experiences means 
that incidents may go unacknowledged. As a result, it is hard to combat this 
problem because of confusion over who has the appropriate jurisdiction to 
investigate the offense and whether or not it is a crime based on existing stat- 
utes. The increasing public attention drawn to the serious consequences of 


Cyberbullying and Cyberstalking 


cyberbullying and stalking cases, however, may force a change in the policy 
and social response over the following years. The attempts to develop national 
laws around cyberbullying are an excellent demonstration of the ways that 
society is attempting to respond to these acts. Thus, the way that we deal with 
bullying and stalking will no doubt change over the next ten years as percep- 


tions of these behaviors change. 
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Discussion Questions 


1. Should we define youth who make harassing or disparaging comments 
about their teachers in online spaces as engaging in cyberbullying, or is it 
harassment? Simply put, why should we define an act differently on the 
basis of the ages of the victim and offender? 

2. How do we communicate what is acceptable online behavior to youth in 
a way that is accepted and clear? Furthermore, how do we limit the effects 
of “peer pressure” on technology use and acceptance, where friends post 
sensitive information about themselves or personal pictures that could be 
abused by others? 

3. How easy is it to find the reporting tools and links for harassing language 
on the social networking sites you use most often? Look on the sites and 
see how long it takes you to find it on YouTube, Instagram, Snapchat, 
and Twitter. Are they easy to find? Are they in obvious places? 


aN 


. Should schools be able to punish students for online activities that take 
place outside of the campus and after or before school hours if it directly 
affects the behavior of other students? Why? 
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Chapter Goals 


e Define terror and differentiate it from cyberterror 

e Identify hacktivism and examine how it differs from both traditional 
acts of hacking and cyberterror 

e Recognize the value of the Internet as a vehicle for recruitment and 
communications 

© Understand the different ways that extremist groups and non-nation- 
state-sponsored actors use the Internet 

e Discuss the various laws used to secure the United States and other 
countries from the threat of terror 

e Recognize the agencies responsible for the investigation of terror in 


online spaces 


Introduction 


Terror attacks have been a substantial problem around the world, driven in 
large part by regional interests and issues. For instance, members of various Irish 
Republican Army (IRA) groups engaged in terror attacks against English tar- 
gets from the mid-1970s through the early 2000s. Similarly, domestic extremist 
groups within the United States have engaged in a number of attacks over the 
last few decades, such as Timothy McVeigh’s 1995 bombing of a federal build- 
ing in Oklahoma City, Oklahoma (Schmid & Jongman, 2005). 

The terror attacks of September 11, 2001 in the United States demon- 
strated the substantial threat posed by international terror groups who operate 
around the globe, though their agendas and interests may not be directly caused 
by their target (Schmid & Jongman, 2005). Major terror incidents have occurred 
worldwide, including attacks against commuter trains in Madrid, Spain in 2004, 
various targets in Mumbai, India in 2008, as well as more recent attacks such as 
the Bataclan Theater in Paris France in 2015 and the Ataturk Airport attack in 
Istanbul, Turkey in 2016. 

Though these incidents were perpetrated by radical Islamist extremist groups 
such as the Islamic State of Iraq and Syria (ISIS), ideological actors of all 
stripes have attempted or succeeded in committing all manner of violence. In 
fact, domestic extremist and radical groups in the United States are responsible 
for more combined deaths than that of Islamic radicals generally (Caspi et al., 


2012). Some acts of violence are not even clearly linked to an ideology, making it 
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all the more complicated to understand. For instance, a 64-year-old man named 
Stephen Paddock opened fire on a music festival in Las Vegas, Nevada on Octo- 
ber 1, 2017 (Campbell, 2019). He killed 60 people and wounded 411 more and 
killed himself before he could be arrested. Paddock’s motives remain unknown, 
though ISIS initially claimed he was their soldier, and far right misinformation 
groups attempted to tie his actions to the far left group Antifa (Campbell, 2019). 

As a consequence, physical security measures have been implemented in 
order to increase the successful identification and disruption of further attacks. 
The United States has radically changed their airport screening procedures to 
identify dangerous materials prior to entering flight terminals. Physical barriers 
have been erected at various government buildings, power plants, and sensitive 
infrastructure to make it harder to enter the spaces by force. Additionally, many 
governments have recalibrated their law enforcement and intelligence gathering 
agencies to focus on the prevention of terror and increased collaborative infor- 
mation-sharing programs. 

Though the focus on real-world terrorist attacks and extremist violence is a 
necessity due to the potential for civilian casualties and property damage, there 
has been less attention paid to the prospective threat of attacks performed through 
cyberspace. This is surprising, since virtually all industrialized nations are depend- 
ent on technology in order to engage in commerce and manage utilities, like water 
and power, as well as communications. A carefully targeted attack against any crit- 
ical infrastructure resource could cause serious harm to the security of the network 
and potentially cause harm in the real world. Such a scenario has become increas- 
ingly popular in media and films, as in the movies Live Free or Die Hard and Skyfall, 
where groups of cyberterrorists compromise traffic control systems, government 
computers, utilities, and financial systems through a series of coordinated hacks. 

The sensationalized appearance of cyberattacks in film has led to significant 
debate over the realities of virtual attacks against critical infrastructure. In the 
mid-1990s, when the World Wide Web and computer technologies were being 
rapidly adopted by industrialized nations, individuals in government and com- 
puter security theorized that such attacks were possible (Drogin, 1999; Verton, 
2003). For instance, Deputy Secretary of Defense John Hamre and Richard 
Clark, an advisor on cybersecurity, used the term electronic Pearl Harbor to 
refer to a cyberattack against the United States that would take the nation by 
surprise and cause crippling harm (Verton, 2003). The lack of concrete evidence 
that such attacks were happening led some to dismiss these claims. 


These issues raise complex questions on the very nature of how these threats 


should be viewed and who has the responsibility to respond. For instance, should 
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cyberterror be treated differently from traditional acts of terror? This chapter will 
address these questions in a systematic fashion. First, we will define crime, terror, 
and cyberterror. In addition, the ways in which extremist groups and terror 
organizations utilize the Internet in order to support their activities or engage in 
attacks will be explored in detail. Finally, the legislative efforts in place to deal 
with terrorism as well as coordinate the response will be discussed in depth. 


For more debate on the controversies of an electronic Pearl 
Harbor, go online to: 


1. http://blog.radware.com/security/2013/12/electronic-pearl-harbor/ 

2. www.washingtonpost.com/blogs/innovations/post/digital- 
deterrents-preventing-a-pearl-harbor-of-cyberspace/2010/12/20/ 
eIQASNKyoL_blog.html 


Defining Terror, Hacktivism, and Cyberterror 


In order to understand the problem of terror, online or offline, we must first 
understand its relationship to crime. Both criminals and ideologically driven 
extremist or terror groups may use the same skills or behaviors in the course 
of an activity. Many nations charge terrorists under criminal statutes (Brenner, 
2008). One way that we might be able to discern the differences between these 
behaviors is to consider both the motive of the actor and the number of people 
harmed. Criminals often target single individuals in order to increase their like- 
lihood of success and are often driven by economic or emotional desires. For 
instance, an individual may assault another individual in order to get money in 
the course of a robbery or kill a person in retribution or cold blood. A terrorist 
or extremist group, however, tends to target large groups of people or physical 
locations that can cause massive collateral damage while at the same time draw- 
ing attention to a specific ideological, political, or religious agenda. In addition, 
many acts of terror are designed to target innocent people in order to cause 
general panic and fear among the larger populace, rather than simple economic 
gain (Brenner, 2008). 

Recognizing the role of motivation is necessary to identify an act of terror. 
There are, however, a wide range of activities that people engage in that express 
their political or ideological beliefs. Thus, it is necessary to situate acts of terror 
within the spectrum of political behaviors on and offline, ranging from non- 
violent expression to serious physical violence (Holt & Kilger, 2012; Schmid, 
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1988, 2004). There are myriad forms of non-violent resistance that individuals 
engage in on a day-to-day basis. Prior to the emergence of the World Wide 
Web, individuals could express their dissent with political positions through 
letter-writing campaigns to print media outlets as well as their legislative repre- 
sentatives. Freedom of speech throughout the industrialized world also enables 
individuals to express their opinion in public settings, regardless of how negative 
they may be. The web has extended this capability, as individuals regularly post 
messages about their views on politics and social issues on Facebook, Twitter, 
and other social media (Martin, 2006; Schmid, 1988, 2004). In fact, individuals 
now contact politicians and representatives through the Internet at the same rate 
as postal mail and telephone (Best & Krueger, 2005). 

The development of social media has had a substantive impact on the accept- 
ance and growth of social movements across the globe (see Box 10.1). Individ- 
uals posting messages on Facebook, YouTube, or web forums can have their 
message viewed by others who share their point of view, or who may come to 
support their cause through convincing stories (Ayers, 1999; Chadwick, 2007; 
Jennings & Zeitner, 2003; Stepanova, 2011). The use of social media to develop 
networks of social support is crucial in the formation of a collective identity that 
can move into real spaces in order to affect social change. 

This was demonstrated by protesters in the United States opposing the 
Dakota Access Pipeline, a major oil pipeline that would be built near Native 


Box 10.1 The Use of Technology in 
Protest Activities 


How Social Media Has Changed Civil Rights Protests 


https://www.nytimes.com/2020/06/18/technology/social-media- 


protests. html 


Omar Wasow is steeped in both social media and the civil rights move- 
ment of the 1960s. And he marvels at how the two have melded in 


the current demonstrations against racial injustice and police brutality. 


This article presents an interview with a Princeton University researcher 
and his investigations into the role of social media as a facilitator for real 
world organization. He also discusses the negative consequences that can 
result from exposure to concepts on and offline in the United States. 
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American tribal lands (Dreyfuss, 2017). Similar organization strategies have been 
employed by Black Lives Matter protesters across the United States during 2020 
in the wake of various acts of brutality performed by police against racial minor- 
ities (Biddle, 2020). The value of social media lies in its capacity as a tool to cov- 
ertly organize large groups across wide disparate spaces to converge in one place 
at the same time. Furthermore, organizers can make videos and messages about 
real world events, and then post them online to generate additional attention to 
their causes. Thus, organized forms of non-violent expression can be enabled by 
virtual experiences and communication (Chadwick, 2007; Earl & Schussman, 
2003; Jennings & Zeitner, 2003; Stepanova, 2011; Van Laer, 2010). 

Unfortunately, these same tools can be used to organize real world protests 
that are intended to promote or cause violence. For example, a series of protests 
were held in Charlottesville, Virginia during August 11 and 12, 2017 called Unite 
the Right (Corera, 2019). This event brought various far right extremist groups 
together, including neo-Nazis and members of the Klu Klux Klan, over the 
removal of a Confederal War memorial from a public park. The protests drew 
widespread condemnation and counterprotests, culminating in the state police 
declaring the rally to be an unlawful assembly requiring all participants to disperse 
(Corera, 2019). Shortly after that action, a white nationalist intentionally drove 
his car into a crow of counter-protesters killing one and injuring 28. The events 
were organized online in large part through the participants in a website called 
The Daily Stormer, as well as communications apps like Discord (Corera, 2019). 

Political expression in the real world can also include the use of destruction 
or vandalism in order to express dissent (Brenner, 2008; Denning, 2010; Holt 
& Kilger, 2012). For instance, individuals may deface images of politicians or 
burn flags in order to express their dissent over a nation’s positions toward an 
event. In virtual spaces, individuals may engage in similar forms of vandalism 
against websites or specific resources in order to express their disagreement with 
a policy or practice (Denning, 2010; Woo et al., 2004). One such example is 
an individual claiming to belong to the Animal Liberation Front (ALF) who 
defaced the website of a fur and leather retailer. The hacker also added the fol- 
lowing message to the content of the site: 


To the owners of “The twisted pine fur and leather company” you have no 
excuse to sale [sic] the flesh, skin and fur of another creature. Your website 
lacks security. To the customers, you have no right to buy the flesh, skin or 
fur of another creature. You deserve this. You’re lucky this is the only data 
we dumped. Exploiters, you’ve been warned. Expect us. 
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Can you really put that much faith into the security of a company that 
sales [sic] the fur, skin and flesh of dead animals to make a profit? 


We are Anonymous. 

We are Legion. 

We do not forgive. 

We do not forget. 

We are antisec. 

We are operation liberate. 


Expect us. 


This simple message quickly expressed their point of view and disagreement 
with the company’s practices. In addition, the hackers indicated that they were 
able to view the customer database information maintained by the company, 
and that they could potentially steal the credit and debit card information of 
individuals who had purchased goods through the site. 

This sort of attack is what some researchers refer to as hacktivism, in that 
the actors use hacking techniques to promote an activist agenda or express their 
opinion (Denning, 2010; Jordan & Taylor, 2004; Taylor, 1999). Such an attack 
may be illegal, but it does not create a high degree of fear or concern among the 
larger community (Jordan & Taylor, 2004). As a result, hacktivism provides a 
way to classify criminal acts of protest involving hacking techniques that are in 
some way analogous to offline political action (Denning, 2010). The use of this 
term, however, does not help to refine our understanding of cybercrime or 


terror as it is a more nebulous concept than anything else. 


For more on hacktivism, go online to: 


1. https://opinionator.blogs.nytimes.com/2013/01/13/what-is-a- 
hacktivist/ 
2. www.thenation.com/article/154780/wikileaks-and-hacktivist-culture 


At the most extreme end of political expression are planned acts of violence 
in support of a social agenda, typically referred to as terror (Schmid, 2004). 
This may include the creation of major explosions, such as the Oklahoma City 
bombings of the early 1990s in the United States, or the 9/11 attacks on the 


World Trade Center. These incidents can cause massive harm to both people 
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and property and generate fear of future attacks (Martin, 2006; Schmid, 2004; 
Schmid & Jongman, 2005). Though there is no single agreed upon defini- 
tion for what constitutes an act of physical terror, these elements are present in 
almost all of the existing frameworks used (Schmid & Jongman, 2005). 

The definitional issues present for physical terror are exacerbated when 
attempting to define what constitutes cyberterror. In fact, the term cyber- 
terror developed in the mid-1990s as technology was increasingly adopted by 
consumers and industry alike (Foltz, 2004). As increasing focus was placed on 
defining physical terror through the use of violence to promote fear; this chal- 
lenged the notion of cyberterror since there have been few instances where 
individuals in the real world experienced any physical harm from a cyberattack 
(Britz, 2010; Denning, 2010; Foltz, 2004; Martin, 2006; Pollitt, 1998). 

An attack against the electronic infrastructure supporting financial institu- 
tions or power grids, however, could produce a catastrophic loss of service 
that results in economic harm or disruption of vital services (Brenner, 2008; 
Britz, 2010; Brodscky & Radvanovsky, 2010; Denning, 2010). For instance, 
if an attacker was able to knock out power to a major city, it could potentially 
result in significant dollar losses for corporations and potentially lead to physical 
death if outages affected hospitals or medical services. The unexpected nature of 
such an attack would also, no doubt, generate panic over the prospect of future 
attacks occurring with almost no warning. Such fear and concern over cyber- 
attacks may rival that of a physical terror incident (Britz, 2010; Denning, 2010; 
Kilger, 2010). As a result, physical harm may be less relevant in the definition of 
cyberterrorism compared to the fear that may stem from such an attack. 

As an example, a series of Distributed Denial of Service (DDoS) attacks were 
targeted against US financial institutions beginning in the fall of 2012 by the 
group Izz ad-Din al-Qassam Cyber Fighters (Gonsalves, 2013). Major financial 
institutions were targeted, including US Bancorp, JP Morgan Chase & Co., 
Bank of America, PNC Financial Services Group, SunTrust, and other institu- 
tions. The group utilized compromised web servers located in the United States 
as a launch point and caused some interruptions of service for the banks. It is 
not clear how successful the attacks were, though one estimate suggests at least 
seven banks were taken down for minutes to hours, depending on the institu- 
tion (Gonsalves, 2013). 

The group indicated in posts on the website Pastebin that they were engag- 
ing in the attacks because of the treatment of the Islamic faith by the West and 
the US government’s refusal to remove clips of a movie that disparages the 
prophet Mohammed from YouTube (see Box 10.2 for details). They claimed 
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Box 10.2 Ultimatum for DDoS Attacks 
Against US Banks 


Qassam Cyber Fighters’s Pastebin ORS ea CI 


https://pastebin.com/u/QassamCyberFighters fl 


Operation Ababil, AAQASSAM ULTIMATUM ... We, the Cyber 
Fighters of Izz ad-Din al-Qassam, had previously warned multiple 
times that, if the insulting movies not be removed from the Internet 


we will resume the Operation Ababil. 


This link provides readers with the full campaign of posts made by the 
Cyber Fighters’ during their attacks against various financial institutions 
in the United States beginning in February 2013 as retaliation for the 
publication of a video on YouTube that insulted the image of the Prophet 
Mohammed. The announcements include their targets, demands, and sta- 


tus updates. 


that they would engage in attacks against banks as retribution for these videos 
and base the duration of their attacks on the perceived damages that will result 
against these institutions relative to the number of times these videos have been 
viewed and the length of time they have been posted. While some of these 
institutions used mitigation services to reduce the effectiveness of the DDoS 
attacks, there was evidence of service losses for some customers. As a result, 
these attacks are a possible example of cyberterror. 

It is also important to recognize that some terror or extremist groups may not 
attempt to use the Internet as an attack vehicle. Instead, they may simply find 
value in using online communications in order to contact others, spread their 
message globally, and engage in fundraising activities to support their cause (Britz, 
2010; Foltz, 2004). For instance, there has been substantial concern over ISIS 
using various encrypted applications such as WhatsApp and Telegram to com- 
municate (Rotella, 2016). The use of various instant messaging protocols makes 
it difficult to track actor networks and validate threats (see Box 10.3 for details). 

With that in mind, a truly expansive definition of cyberterror must recognize 
the variations that may be evident in the way an organization uses technology to 
further its agenda. Criminologist Marjie Britz (2010) has developed an inclusive 


definition for cyberterror that recognizes both of these issues: 
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Box 10.3 The Use of Encrypted Chat 
Applications by Terrorists 


Proud Boys Channels Are Exploding on Telegram 


https://www.rollingstone.com/culture/culture-news/proud-boys- 


telegram-far-right-extremists-1114201/ 


In light of mass deplatforming on big tech social platforms like 
Twitter... far-right militants are flocking to alternative social networks 


such as the encrypted messaging apps Telegram and Signal. 


This article provides an overview of the reasons why extremist groups in 
the United States, are moving to encrypted apps like Telegram, which are 
also being used by protestors and others interested in hiding their commu- 
nications from government agencies, investigators, and the media more 
broadly. The article also explains how crackdowns on other social media 
platforms may engender a switch to encrypted applications for planning 
and recruitment efforts. 


The premeditated, methodological, ideologically motivated dissemination of 
information, facilitation of communication, or attack against physical targets, 
digital information, computer systems, and/or computer programs which is 
intended to cause social, financial, physical, or psychological harm to non- 
combatant targets and audiences for the purpose of aftecting ideological, 
political, or social change; or any utilization of digital communication or 
information which facilitates such actions directly or indirectly. (p. 197) 


We will use this definition in order to frame the remainder of this chapter so 
as to recognize the various ways that extremists and terrorists use technology to 


further their agendas on and offline. 


The Use of the Internet in the Indoctrination 
and Recruitment of Extremist Groups 


Due to the prospective variations in the behavior and motives of actors, it is 
necessary to consider how technology may be used and to what ends. First 


and foremost, the Internet has tremendous value as a communications vehicle 
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for extremists, terror entities, and nation-state actors. The easy and immediate 
access to technology, coupled with the anonymity and scale afforded by com- 
puters and the Internet, make email, forums, instant messaging, and virtually 
all other forms of computer-mediated communication (CMCs) ideal for inter- 
personal communications. Almost every nation on earth now has some form of 
Internet connectivity, whether through cellular service providers, high-speed 
fiber optic connectivity, or even dial-up Internet access. Groups can maintain 
contact and reach out to others, no matter where they may be located, through 
plain text messages, email, or forums. 

The ability to regularly communicate with others from diverse backgrounds 
ensures that individuals can be slowly, but steadily, introduced to the core 
principles of a movement (Gerstenfeld et al., 2003; Gruen, 2005; Weimann, 
2004). Constant exposure and reinforcement of an ideology allows individuals 
to become accepting of an otherwise unusual perspective, and it may eventually 
enable the acceptance of an extremist ideology or identity (Gerstenfeld et al., 
2003). There are myriad web forums operating to support various white nation- 
alist and neo-Nazi ideologies, including The Daily Stormer, National Socialist 
Movement (NSM), and even portions of the relatively broad Reddit, 8chan, 
and 8kun communities. 

One of the oldest of these forums is Stormfront.org, which was extremely 
popular among neo-Nazis to discuss all facets of their movement and even day- 
to-day activities through a white-power perspective (Castle, 2011; Gerstenfeld 
et al., 2003; Weimann, 2004). The site serves as a venue for individuals to 
engage in conversations and connect with others virtually and through the real 
world via localized subforums by nation, state, and city. There are also multiple 
sections devoted to politics, technology, philosophy, and entertainment. Over 
the last few years, the site has become destabilized and inconsistently available as 
technology companies are increasingly unwilling to host the site after the deadly 


Charlottesville protests (discussed above). 


For more information on the global role of Stormfront in spread- 
ing hate, go online to: 


1. https://www.infomigrants.net/en/post/22714/rome-sentences-24- 
for-hate-comments-on-stormfront-forum 


2. https://www.sciencemag.org/news/2018/05/it-s-toxic-place-how- 


online-world-white-nationalists-distorts-population-genetics 
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In addition to direct communications, the Internet also allows groups to 
directly communicate their beliefs and ideologies to the world without the need 
for mass-media marketing or news media coverage. Any terror or extremist 
group can post messages on blogs or websites in order to directly control the 
delivery of their message to the media and the public at large (Forest, 2009). 
For instance, members of the hacker group Anonymous regularly use Twitter, 
YouTube, and even written letters posted on websites in order to explain their 
actions or notify prospective targets that they may be attacked (see Box 10.4 
for details). 


Box 10.4 Anonymous Open Letter Example 


Greetings Citizens of the World, We are Anonymous 

This is an open call to establish travel bans on United States citizens, 
boycott US-made products, divest of US- or Trump-related business 
interests, and apply sanctions on the Trump regime and all of its associ- 
ates. Until the danger the United States today possesses against the world 
is resolved. Reciprocity measures must be enacted against the United 
States to challenge its shameless actions under the Trump regime. Global 
response must also come in the form of economic sanctions on products 
directly associated with the Trump corporate brand. 

As citizens of the world we must unite against tyranny wherever it 
emerges and challenge it. As Trump reveals himself to be a danger not 
just for the United States but the rest of the international community 
it is our right to protect and defend ourselves from the madness of 
rogue entity with no regard for international law, human rights, or 
common decency. 

We call on the international community from all backgrounds and 
ideologies, across social stratas and religions, to resist the madness leak- 
ing out of the United States. We call for the creation of global boycotts 
against US-made products, we call on you to contact your representatives 
and members of parliament and congress to apply sanctions on the Trump 
regime, we call on you to take part in divestment of US shares. BDS (Boy- 
cott, Divestment, and Sanction) the United States until the maleficent 
Trump regime is brought to justice. 

To the citizens of the United States, this is not an attack on you 


but firm and necessary action against the rising tyranny that today 
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befalls you. Participate in your own liberation from the Trump regime 
by applying economic and political pressure on your house and sen- 
ate representatives to push the impeachment of the Trump regime. 
The Trump regime will not listen to protests in the streets, but it will 
crumble under protests in the work force & sanctions, divestment, and 
boycotts abroad. We call on you, the citizens of the United States, to 
organize rolling work strikes nation-wide. Remove your labor from the 
pockets of the tyrants, disrupt the markets they are so proud of, and take 
the reins of your governance back by building society and mass col- 
laboration. Forget making America great again, together we can make 
humanity great again. 


We are Anonymous. 

We are everywhere. 

We are legion. 

We are those you have left without a home. 
We are those you have murdered. 

We are voiceless no more. 

The world will change. We'll change it. 
Tyrants of the World, 

Expect Us! 


The Islamic State also uses Twitter and Facebook as a key platform for mes- 
saging and radicalization (Corera, 2020). The relatively limited territories ISIS 
controls off-line in Iraq and Syria demand they find ways to attract individuals 
to their ideology, making social media an essential tool in promoting their mes- 
sage to recruit participants globally (see Box 10.5). Social media sites are particu- 
larly useful as a resource as individuals can create accounts easily and use them 
from very basic mobile phones. The use of hashtags in social media messaging 
also allows ISIS to find ways to connect to other users on the basis of shared 
interests, or uncommon phrases that may pull in specific audiences (Berger & 
Morgan, 2015). These practices, however, also make it possible for social media 
providers to identify and suspend accounts engaged in ISIS or jihadi related 
posts (Corera, 2020). 


Computers and software suites for multimedia creation like Photoshop also 


allow groups to create and manipulate videos, photos, and stylized text. This 
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Box 10.5 The Role of Social Media in Recruitment 
and Radicalization 


ISIS and the Lonely Young American 


https://www.nytimes.com/2015/06/28/world/americas/isis-online- 


recruiting-american. html 


She kept teaching at her church, but her truck’s radio was no longer 
tuned to the Christian hits on K-LOVE. Instead, she hummed along 
with the ISIS anthems blasting out of her turquoise iPhone, and began 
daydreaming about what life with the militants might be like. 


This article details one young woman’s experience engaging with, and 
eventually accepting, the radical ideology promoted by ISIS. She engaged 
in discussions with members of ISIS via various social media feeds, even- 
tually engaging in regular conversations and even converting to Islam. 
Her story provides an excellent example of the types of individuals ISIS 
and other radical movements seek out, and the processes they employ to 


indoctrinate them. 


enables extremist groups to develop more media-friendly materials or misrep- 
resent facts in support of their own ideologies. In turn, they can promote their 
ideas and images to a larger audience in a subtle and convincing way that may 
instill anger and hostility toward groups that are perceived as oppressors or 
socially unacceptable (Forest, 2009; Gruen, 2005). 

This is evident in the heavy use of meme content created by far right groups 
to be shared on various social media platforms (De Cristofaro, 2018). Memes 
involve a combination of well-known images and text to express humor and 
sarcasm in an easily digestible and highly sharable way, as well as express political 
and ideological sentiment. To that end, far right memes often feature pro-Nazi 
and anti-Semetic visuals with text that can express hate or encourage violence 
(De Cristofaro, 2018). Viewers may not realize this at first, and instead simply 
like and share the content on the basis that the message is amusing or clever. 
The subtle nature of the messaging may, however, be sufficient to invite further 
scrutiny and investigation by the viewer and help lead them to accept such 
beliefs over time (De Cristofaro, 2018). 
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For more information on the meanings and use of far right and 
extremist memes, go online to: 


1. https://www.motherjones.com/politics/2019/04/right-wing-groups- 


are-training-young-conservatives-to-win-the-next-meme-war/ 


2. https://www.wired.com/story/boogaloo-movement-protests/ 


There are other forms of media manipulation, as evident in the publica- 
tion of lifestyle magazines by terrorist groups. The terrorist group Al Qaeda 
in the Arabian Peninsula’s (AQAP) published their own English-language 
magazine called Inspire which provides information on the perspectives of the 
group and the jihadist movement generally. An issue from March 2013 fea- 
tured an article on the 11 public figures from the West who it feels should 
be wanted dead or alive for crimes against Islam (Watson, 2013). It also fea- 
tures regular details on techniques to engage in terrorism, ranging from simple 
bomb-making to how to handle firearms. Similarly, Al-Qaeda began to publish 
their own English-language magazine called One Ummah on September 11, 
2019 (Gardner, 2020). 

The glossy magazine format allows authors to promote their agenda in a way 
that is both attractive and appealing to readers. At the same time, the writing 
style may be more engaging and promote the jihadist agenda to those who may 
never have considered this point of view (Gardner, 2020; Watson, 2013). In 
fact, the Tsarnaev brothers who performed the Boston Marathon bombing fre- 
quently sought and read extremist websites and the magazine Inspire which 
served as the basis for their method of attack. The brothers acquired the infor- 
mation needed to build improvized explosive devices from pressure cookers, 
nails, ball bearings, and explosive materials via articles published in the magazine 
(Cooper et al., 2013). 


For more information on the importance of jihadi magazines in 


radicalization, go online to: 


1. www.dailymail.co.uk/news/article-2287003/Al-Qaeda-releases-guide- 
torch-cars-make-bombs-naming-1 1-public-figures-wants-dead-alive- 
latest-edition-glossy-magazine. html 


2. https://www.njhomelandsecurity.gov/analysis/al-qaidas-online- 
magazine-vilifies-us-values 
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In much the same way, far right extremist ideologies are often proffered 
through a lens of legitimacy via think thanks and lobbying groups in the United 
States. As an example, the National Policy Institute (NPI) was formed in 
2005 and operated by individuals who espoused white nationalist ideologies. In 
fact, it is currently run by Richard Spencer, who has openly used Nazi salutes 
and propaganda from Hitler in public speeches. The NPI also operates a website 
which began as a platform for its Radix Journal, described as “a periodical on 
culture, race, metapolitics, critical theory, and society.” The name radix was 
selected intentionally as a means to shield their views in a search for the “truth,” 
as they state: 


Radix is a Latin word meaning “root” or “stem.” It is the basis of a num- 
ber of familiar words in English, including “radical” and “race.” The 
“extremist” — that is, he who takes things too far- is merely excessive. The 
“radical,” in the true sense of the word, seeks to uncover the heart and 


source of the matter. 


The site content, however, presents far right views such as the notion that 
science and those who conduct research are unable to be neutral, and that 
white Europeans need feel no guilt for the way that other races were subju- 
gated through slavery in the United States and elsewhere. The site also operates 
a podcast and video series with the same far right views presented through a 
quasi-intellectual lens in an attempt to justify their views. Such efforts help far 
right groups to indoctrinate others into their ideological or political worldview 
through discourse that appears far more acceptable on the surface. 

In addition, cell phone cameras and web cams allow individuals to create 
training videos and share these resources with others through video sharing sites 
like YouTube (Gruen, 2005). Posting videos and news stories through social 
media also provides a mechanism to publicly refute claims made by media and 
governments to ensure the group is presented in a positive light (Forest, 2009; 
Gruen, 2005). For instance, participants in the recent Arab Spring created vid- 
eos on camera phones to show violent repression by government and police 
agencies, as it happened, to news agencies around the world (Stepanova, 2011). 
Similarly, ISIS members have posted videos of the conflict in the city of Mosul, 
Iraq and other parts of the country where they have attempted to take control 
of the population. Their videos are intended to validate or refute claims by the 
US military and coalition forces regarding their attempts to retake cities where 
ISIS has dug in (Tawfeeq et al., 2016). Such “on the ground” reporting allows 
individuals to provide evidence of their experiences. 
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This same capability, however, can be abused by extremist groups in sup- 
port of their ideologies. One of the most extreme examples of such an act was 
a video posted by members of Al Qaeda in Pakistan on February 21, 2002. 
In the video, members of the group executed a journalist named Daniel Pearl 
who was kidnapped while he was traveling to conduct an interview (Levy, 
2003). He stated his name for the camera, described his Jewish family heritage, 
and then condemned America’s foreign policy strategies in the Middle East. 
Following these statements, his captors then slit his throat and cut off his head, 
ending the video with a statement demanding the release of all Guantanamo 
Bay detainees or otherwise more deaths would result (Levy, 2003). The grue- 
some video became a key piece of propaganda for the group and the jihadist 
movement generally, while inciting massive outrage in the United States. Such 
a chilling example demonstrates the value of interactive media and the Inter- 
net in the promotion of extremist movements generally (see Box 10.6 for an 
additional example). 

In addition to video, social movements on the fringes of society have suc- 


cessfully utilized music and video games as a means to expose individuals to 


Box 10.6 An Example of Facebook Live Being 
Used for Terrorism 


How the Christchurch Terrorist Attack Was Made for 
Social Media 


https://www.cnn.com/2019/03/15/tech/christchurch-internet-radicali 


zation-intl/index. html 


It seems that the video was filmed by a perpetrator of the mass shoot- 
ings at two mosques in the city of Christchurch, New Zealand, in 
which dozens of people were killed and injured. In a sickening angle 


to an already horrific story, it was live-streamed online. 


This article explains the way that the Christchurch, New Zealand mosque 
shooter livestreamed the violent attack he performed on Facebook. Addi- 
tionally, the attack and the attacker’s manifesto were shared on various 
social media and online sites in order to spread his racist, nationalist beliefs 
broadly. The article also details the challenge of policing such content on 


the Internet and reducing the threat of terror are discussed in detail. 
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their perspectives in socially acceptable and engaging ways (Britz, 2010; Wei- 
mann, 2004). For instance, Resistance Records is a record label that produces 
and distributes music by bands that feature white power and right-wing extrem- 
ist messages in a direct-downloadable format (Jipson, 2007). The label is owned 
and run by the National Alliance, a white power group, which gains a profit 
from album sales. Music allows what are otherwise extreme or socially unac- 
ceptable positions to be heard in ways that may appeal to younger generations 
or the general public. 

Video games have also become a key resource for extremist groups to 
promote their beliefs in a socially acceptable, approachable, and extremely 
engaging way to younger audiences. The rewards and reinforcement indi- 
viduals can receive through successfully completing the objectives of a 
game, coupled with the underlying themes of the content, can promote an 
extremist view in a very digestible format. One of the most well-known 
of these games is called Ethnic Cleansing and was developed and released 
through Resistance Records using no-cost open-source software. This is a 
so-called “first person shooter,” wherein the game is played from the point 
of view of a skinhead or Klansman who kills blacks, Jews, and Latinos in 
various urban and subway environments (Anti-Defamation League, 2002). 
This game, and its sequel “White Law,” costs $14.99 and can be downloaded 
directly through the Resistance Records website (Anti-Defamation League, 
2002). Similarly, Islamic extremists have released several video games that 
place the player in the role of a jihadist fighting against Jews, Westerners, and 
the US military (Gruen, 2005). The content utilizes pro-Islamic imagery, rap 
and popular music, as well as various images of and messages from Osama Bin 
Laden and the 9/11 terror attacks. The game has been posted and reposted 
across various websites online ensuring its spread to various interested groups 
(Weimann, 2004). 

In addition, far right groups have recently begun to recruit and radicalize 
players in traditional online games like Fortnite (see Box 10.7 for detail). Such 
a move is sensible given that these platforms are often populated by young 
males who are unsupervised. Players can easily discuss any idea at length, and 
the violent nature of some games engenders discussions of violence that can be 
couched in real world terms. As a result, there is growing concern over how to 
reduce the spread of extremist ideologies through online games. 

Finally, there are a number of training and support manuals that are distrib- 
uted online. In fact, the open nature of the World Wide Web allows individuals 
to post information that could be used to engage in violence or cause physical 
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Box 10.7. Online Gaming as A Flash Point for Far 
Right Indoctrination 


White Supremacy Is Metastasizing — In Video Games 


https://www.wbur.org/cognoscenti/2019/04/23/video-games-white- 


supremacy-rich-barlow 


She [Professor Megan Condis] says video game culture has become 
infested with white supremacists trawling for converts. Casually 
chatting up young male players about race, alt-right types probe for 
“those who exhibit curiosity about white nationalist talking points,” 


she writes. 


This article explains the basic processes white nationalists and other far 
right extremists communicate with youth through online game environ- 
ments to recruit and radicalize others. The piece also notes that individuals 
who have engaged in real world violence, like the 2019 New Zealand 
mosque shooter, emphasized the importance of online gaming in helping 


them prepare for their actions. 


harm in the real world. There are a number of training manuals and detailed 
tutorials for bomb-making, gunplay, and improvized weapons use on the Inter- 
net, many of which have been available online for years (Wall, 2001). This is 
because individuals can easily post a text file or word processor document and 
repost it in repositories, send via email, or share via social networks in different 
formats and languages. For example, the Mujahideen Poisons Handbook from 
Hamas and the Encyclopedia of Jihad published by Al Qaeda are available in vari- 
ous online outlets (Weimann, 2004). Even the Earth Liberation Front and ALF 
have tutorials on how to engage in civil disobedience and protests against log- 
ging companies, construction sites, and animal testing facilities (Holt, 2012). 
These resources engender planning and tactical strategy development, regardless 


of the expertise of the individuals in a given area. 


For an example of a tactical manual, go online to: www.direkte- 
aktie.net/osh/ 
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Electronic Attacks by Extremist Groups 


Though the communications capability afforded by the Internet is unparal- 
leled, it is also important to consider how these technologies could serve as a 
target for attacks by extremists and terror groups. The range of interconnected 
computer systems and sensitive data that could be compromised online pre- 
sents a diverse range of high-value targets for attackers (Britz, 2010; Denning, 
2010; Holt, 2012; Kilger, 2010). For instance, individuals could immediately 
target financial institutions in order to limit the functionality of online banking 
systems or harm databases of consumer information in order to cause chaos. 
Alternatively, attackers may target the computer systems that support the pro- 
cesses within nuclear power plants, hydroelectric dams, or sewage treatment 
plants. These systems, called Supervisory Control and Data Acquisition 
(SCADA) systems, are vital to the management and processing of critical 
infrastructure and are often connected to the Internet in some fashion (Brodsky 
& Radvanovsky, 2010). As a result, an attacker who can affect the function- 
ality of these computers may cause substantial physical harm in the real world 
along with fear over future attacks (see Box 10.8 for details; Brenner, 2011; 
Denning, 2010). 


Box 10.8 Examples of Cyberattacks Against 
SCADA Systems in Water Treatment 


ICS Cybersecurity: Water, Water Everywhere 


www.infosecisland.com/blogview/18281-ICS-Cybersecurity-Water- 
Water-Everywhere.html 


Since then there have been numerous articles and events that have 
driven the public conversation about the security of the cyber systems 
at American water treatment facilities. The question at hand is whether 
this moment of attention will result in any improvements in cyberse- 


curity of the nation’s water supply. 


This article provides a timeline of the cybersecurity incidents that have 
occurred over the last two decades that specifically target water manage- 
ment systems. The piece is invaluable in understanding the ways that sys- 


tems have been compromised and what this may mean for the future. 
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The use of cyberattacks by extremist groups are facilitated in part by the 
nature of information sharing in the hacker subculture (see Chapter 3; Britz, 
2010; Denning, 2010). Hackers regularly provide information on vulnerabilities 
present in the software and hardware of systems across the world (Taylor, 1999). 
This information can be leveraged by anyone with the time or inclination to 
identify systems with this vulnerability and attempt to attack them. As a result, 
open disclosure may do more to facilitate attacks than to provide public aware- 
ness of weaknesses. In fact, hackers in support of Al Qaeda have posted vari- 
ous resources to facilitate cyberattacks, such as Youni Tsoulis, who published a 
hacker tutorial titled “The Encyclopedia of Hacking the Zionist and Crusader 
Websites” (Denning, 2010). This guide provided detailed information on vul- 
nerabilities in US cyber infrastructure, as well as techniques to engage in data 
theft and malware infections. In addition, the ability to obtain free attack tools 
or malware and hacking resources through open markets (see Chapters 3 and 4) 
reduces the amount of resource development needed to successfully complete 
an attack. Thus, the modern hacker subculture facilitates both legitimate and 
illegitimate hacking behaviors, which can be used by any motivated actor. 

One of the most common types of attack used in support of extremist or 
terror agendas is the denial-of-service attack (DDoS) (Denning, 2010; Kilger, 
2010). These attacks may not cause significant system damage, though the fact 
that they keep users from accessing resources can cause massive dollar losses. 
In addition, they can be relatively easy to perform and are enabled in part by 
downloadable tools that will complete the attack at the click of a mouse. 

The history of downloadable DDoS tools stems from the hacker group the 
Electronic Disturbance Theater (EDT; Denning, 2010). The group developed a 
program called FloodNet that could be downloaded directly from their website to 
be utilized by individuals who shared their perspectives on the use of the Internet as 
a space for social activism. It was first used in an attack against the Mexican govern- 
ment because of their treatment of Zapatista separatists who were fighting against 
what they perceived to be governmental repression (Denning, 2010). The EDT 
first used FloodNet against the Mexican President Zedillo’s website, and then 
attacked US President Clinton’s website because of his support of Mexico. A third, 
and even larger, attack was then launched against Zedillo, the Pentagon, and the 
Frankfurt Stock Exchange for its role in supporting globalization (Denning, 2010). 


For more on the EDT, go online to: www.youtube.com/watch?v=O- ae a 
U-he8LN3k ai 
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The success of FloodNet led to its adoption by other activist groups to 
engage in DDoS attacks, such as an attack by animal rights protesters in Swe- 
den and a British group called the Electrohippies Collective (Denning, 2010). 
In more recent years, additional DDoS tools have been developed by groups 
with diverse interests. For instance, a tool called Electronic Jihad was released 
through the Arabic language forum al-Jinan for use against various Western 
targets (Denning, 2010). 

Anonymous also uses a DDoS tool called the Low Orbit Ion Cannon 
(LOIC) in support of attacks against personal, industrial, and government tar- 
gets around the world (Correll, 2010). This simple tool allows individuals to 
simply select a website to target and give parameters for the duration of the 
attack, then click the ready button. LOIC requires no technical knowledge to 
successfully complete an attack; the interest in targeting a specific entity is all 
that is necessary. 


For more on the Low Orbit Ion Cannon, go online to: http:// 


sourceforge.net/projects/loic/ 


Another useful tool in the arsenal of hackers seeking to express their opinion 
are web defacements, where the normal HTML code of a web-page is replaced 
by images, text, and content of the attacker’s choosing (see Chapter 3; Denning, 
2010; Woo et al., 2004). Web defacements began as a vehicle for hackers to 
call out system administrators who used poor security protocols and generate 
a reputation in the hacker community for their actions (Woo et al., 2004). As 
hackers increasingly recognized the value of web defacements as a means to 
express their political or ideological motives, the nature and targets for deface- 
ments began to change. 

Specifically, web defacements increasingly appear to be triggered in response 
to real-world events. For instance, an Iranian general named Qassem Soleimani 
was killed by a targeted US drone strike on January 3, 2020 (O’Donnell, 2020). 
Shortly after this attack, a series of web defacements occurred affecting various 
public and private websites in the United States with messages featuring phrases 
such as “Down with America” and images of the Iranian flag (O’Donnell, 
2020). One of these defacements affected the US Federal Depository Library 
Program website, and featured an image of the Iranian general and a picture of 
then president Trump with a bloodied face being punched by pro-Iran messages 
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(O’Donnell, 2020). As a consequence, the US Department of Justice indicted 
two men, one a 19-year-old Iranian and the other a 25-year-old Palestinian, for 
the attack against this government website. They face two counts of violating 
the federal Computer Fraud and Abuse Act (CFAA; see Chapter 3), and have 
yet to be arrested. To further explore the ways that extremists use technology in 
order to affect action or cause harm, we will now explore the online activities of 
two different extremist group subcultures: (1) the Radical Far Right movement 
and (2) the e-jihad. 


The Radical Far Right Online 


The term “the Radical Far Right” is often associated with white supremacist 
groups like the Ku Klux Klan, though it can actually be applied as an umbrella 
term to capture the collective of groups with overlapping perspectives, such as 
neo-Nazi groups, white nationalists, Aryan skinheads, and other Christian sep- 
aratist movements. In addition, the term Alt-Right or Alternative Right has 
been used to characterize aspects of these movements in an attempt to rebrand 
these ideologies. Though they have different individual views, they generally 
share a framework that the white race has been sublimated by non-white racial 
and ethnic groups, Jews, and Catholics. These groups operate around the world 
and take various forms. The Southern Poverty Law Center (SPLC) (2020) 
suggested that there were 940 active hate groups operating in the United States 
in 2019. Though they are spread across the country, the white power move- 
ment is most prominent in the South, upper Midwest, and Southwestern 
United States. Similar groups are evident in Europe and Asia, including the 
NSM, which has offshoots in England and the Philippines (National Socialist 
Movement, 2014). 


For more information on the different types of hate groups in the 


United States and where they are located, go online to: https:// 


www .splcenter.org/hate-map 


The value of the Internet for the radical far right movement cannot be 
understated. Technology allows individuals from marginalized communities 


across the world to become indoctrinated into the culture and find social sup- 


port for their attitudes and beliefs over time. Donald Black, former KKK 


393 


Online Extremism and Cyberterror 


394 


member and the founder of the website Stormfront, stated that ‘““whereas we 
previously could only reach people with pamphlets and by sending out tabloid 
papers to a limited number of people or holding rallies with no more than a few 
hundred people — now we can reach potentially millions of people” (Faulk, 
1997). Considering he made this statement in 1997, the white power move- 
ment has had a long history of Internet use. 


For more information on the Alt-Right, go online to: https://www. 
splcenter.org/fighting-hate/extremist-files/ideology/alternative-right 


Some of the most common tools used by the radical far right movement are 
websites, forums, chatrooms, blogs, encrypted chat apps, and other forms of 
CMC. Individuals who find these sites may be first directed to them through 
Google searches (McNamee et al., 2010), or more recently through social media 
sites. Spending time reading the content and getting to know users may increase 
their willingness to accept their point of view. In fact, continuous involvement 
in these sites may help individuals to accept extremist perspectives, even if their 
peers or family do not agree with these positions. In addition, the ability to 
make multiple friends and associates online in addition to their real-world social 
relationships can help to insulate their perceptions. 

It is important to note that CMCs used by these movements do not nec- 
essarily encourage violence. Some do and are overtly inflammatory in their 
language about the need to rise up in armed conflict or engage in a “race war” 
(McNamee et al., 2010). In fact, a group called the Boogaloo movement or 
Boogaloo Bois have emerged over the last few years as a loose collective of 
actors who show up at protests typically wearing Hawaiian shirts and carrying 
AR-15s and other firearms (Goggin & Greenspan, 2020). Though they have no 
central organization, participants generally emphasize the need to incite a sec- 
ond US civil war and shatter the US government. In fact, their name references 
the 1984 film called “Breakin’ 2: Electric Boogaloo,” which was a sequel to the 
original film “Breakin.” (Goggin & Greenspan, 2020). 

Other groups are more focused on the need to develop a strong white race 
which retains its power in the United States and Europe. In fact, many users 
in forums and other sites communicate their interpretation of historical events 
and scientific findings as a way to justify their actions (McNamee et al., 2010). 
They may also promote the idea that the white race has been appointed by 
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God or by natural right to dominate the world over other races and ethnic 
groups (McNamee et al., 2010). Constant exposure to these messages will help 
to encourage an individual to believe them and be drawn into the movement 
as a whole. 

At the same time, the Internet allows users to regularly access cultural cur- 
rency and modes of expression related to far right movements. For example, 
music became an important tool in the indoctrination of individuals through 
heavy metal bands and other musical styles in the mid-1990s (Simi & Futrell, 
2006). Large concert venues became an important rallying point, drawing mul- 
tiple acts to play at day-long festivals. The development of e-commerce sites and 
music sharing services aided the spread of white power and neo-Nazi music. In 
turn, the movement began to use music as a key resource to communicate their 
message through accessible media that may be more engaging to youth culture 
(Simi & Futrell, 2006). 

The ability to access the Web has also enabled individuals to develop life- 
style-related content that incorporates their racial attitudes (Simi & Futrell, 
2006). Images of tattoos, concerts, organized meetings, video games, music, and 
clothing are all easily identified via the Web. There are now even streaming- 
music services available for those interested in white power bands. In addi- 
tion, the group “Women for Aryan Unity” (WAU) publishes a magazine called 
Home Front on parenting issues, home schooling, and ways to socialize children 
into the movement. There are also child-specific materials available to down- 
load, such as coloring pages, crosswords, and stories that are “age appropriate” 
(Simi & Futrell, 2006). They can also get positive reinforcement from peers and 
ask questions about how to stay loyal to the movement despite the problems 
that they may face from other parents. Thus, the web is a key resource in the 
communication of subcultural values within radical movements as a whole. 

In the last few years, far right groups and actors have also begun to use the 
Internet as a tool to not only recruit others, but incite fear among sensitive 
populations. For instance, a hacker named Andrew “‘weev” Auernheimer 
engaged in a series of targeted hacks of wireless printers on college campuses in 
2016 (SPLC, 2020). He was able to make printers run off copies of violent and 
radical messages, ranging from: “WHITE MAN are you sick and tired of THE 
JEWS destroying your country through mass immigration and degeneracy?” to 


the much more violent text: 


I believe that our enemies need such a level of atrocity inflicted on them 


and their homes that they are afraid to ever threaten the white man with 
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genocide again. ... We will not relent until far after their daughters are raped 
in front of them. We will not relent until far after the eyes of their sons are 
gouged out before them. We will not relent until the cries of their infants are 
silenced by boots stomping on their brains out onto the pavement. 


White nationalists, including Auernheimer, have also engaged in so-called 
Zoombombing campaigns against various groups during the COVID-19 
pandemic (Hayden, 2020). This involving joining a Zoom meeting in order 
to disrupt the proceedings and flash racist and violent messages to participants. 
Such efforts may also serve as a form of harassment and intimidation against 
participants on the basis of their race or religion (Hayden, 2020). These actions 
highlight that far right groups are diversifying their actions in online spaces to 
cause harm on and offline. 


The E-Jihad 


Over the last ten years, academic researchers and popular media have focused 
heavily on Al Qaeda, and more recently ISIS, and their role in global terror 
activities (Forest, 2009; Martin, 2006). Much of this work has helped inform 
our knowledge of the real-world threat that these groups pose, though there 
has generally been little evidence demonstrating their role in successful cyber- 
attacks (Denning, 2010; Ulph, 2006). There is, however, some evidence that 
loose associations of hacker groups are interested in and attempting to engage 
in cyberattacks against the West. This so-called e-jihad has ties to Al Qaeda, 
ISIS, and other Islamic extremist groups across the Middle East and Africa and 
depends on technology for communications infrastructure and as an attack plat- 
form (Denning, 2010; Ulph, 2006). 

The use of the Internet as a platform for e-jihad has been supported by a 
variety of individuals tied to Muslim extremist groups. For instance, Moham- 
mad Bin Ahmad As-Salim wrote a book titled 39 Ways to Serve and Participate 
in Jihad, which was designed to promote discussion about the issue of war with 
the West and jihad generally (Denning, 2010; Leyden, 2003). The book dis- 
cussed the issue of electronic jihad as the 34th principal way to engage in jihad. 
He identifies the need for both discussion forums for media campaigns and 
more specific applications of hacking techniques in order to harm the West. 
Specifically, he wrote: “He [anyone with knowledge of hacking] should con- 
centrate his efforts on destroying any American websites, as well as any sites 
that are anti-Jihdd and Mujdhidin, Jewish websites, modernist and secular 
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websites” (As-Salim, 2003). Thus, terror groups realize that Western nations’ 
dependence on the Internet for both commerce and communications is a major 
vulnerability that can be exploited to cause economic harm and fear in the 


general populace. 


For more information on US citizens being radicalized, go online 
to: http://www.cnn.com/2017/03/03/politics/homeland-security- 


assessment-radicalization/index. html 


To that end, the first hacker group that emerged with specific ties to Al 
Qaeda was the “al-Qaeda Alliance Online,” an offshoot of the hacker group 
“GForce Pakistan.” Members of the Alliance defaced a web server operated 
by the National Oceanic and Atmospheric Administration (NOAA) on Octo- 
ber 17, 2001 (McWilliams, 2001). The defacement contained interesting, if not 
contradictory, information by condemning the September 11 attacks, stating: 
“bin Laden is a holy fighter, and whatever he says makes sense” (McWilliams, 
2001). They went on to say that they would attack major websites in the United 
States and Britain, though “we will not hurt any data as its [sic] unethical” 
(McWilliams, 2001). 

A subsequent defacement occurred ten days later on October 27th, though 
that was the last attack attributed to the group (Denning, 2010). It is not clear 
what happened to the Alliance, but it was replaced by a variety of forums and 
hacker groups actively engaged in the promotion of attacks against the West 
and others who disparaged the Islamic faith. For instance, the al-Farouq forum 
established a section encouraging electronic jihad, along with a downloadable 
library of tools and tutorials for engaging in attacks (Denning, 2010; Pool, 
2005). Similarly, the al-Jinan forum created and offered a free download of 
a DoS tool called Electronic Jihad and gave awards and electronic medals to 
those who were the most effective attackers against sites that harmed Islam 
(Bakier, 2007). 

One of the most well-known examples of information sharing was from a 
hacker named Youni Tsoulis, who used the handle Irhabi007. He developed 
multiple web forums and sites supporting Al Qaeda and even set up hidden links 
to propaganda websites on various forums (Corera, 2008). He also promoted 


hacking and gave multiple tutorials on hacker sites with substantial detail on 


methods of attack and tactics to compromise websites (Jamestown, 2008). Due 
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to the degree to which he actively engaged and shared information about cyber- 
attack techniques with others in the ejihad movement, Tsouli came to the 
attention of law enforcement and military agencies around the world. In fact, 
his name was found on a laptop belonging to a member of an Al Qaeda cell in 
Bosnia who was arrested after making threatening videos against various Euro- 
pean nations. Tsouli was arrested by the London Metropolitan Police during a 
raid in 2005 and was found guilty of charges under the Terrorism Act of 2000 
(Corera, 2008). He received a 16-year sentence; he was 23-year-old at the time. 

More recently, Ardit Ferizi was detained in Malaysia in October 2015 
based on allegations that he compromised US computer systems on behalf of 
ISIS (Perez et al., 2015). Ferizi used the handle Th3Dir3ctorY, and admitted 
to compromising a server hosting a US company, enabling him to gain access 
to a database containing the personally identifiable information (PII) of almost 
1,300 military and government personnel (Department of Justice, 2016). He 
then gave these data to Junaid Hussain, an ISIS recruiter, and discussed using 
the data to produce a hit-list based on the victim’s PII. The data then appeared 
in a tweet posted by the Islamic State Hacking Division (ISHD), claiming that 
they would pass the “personal information to the soldiers of the khilafah, who 
soon with the permission of Allah will strike at your necks in your own lands!” 
(Department of Justice, 2016). He was extradited to the United States for pros- 
ecution, and was eventually found guilty and sentenced to 20 years in federal 
prison on charges related to violations of the Computer Fraud and Abuse act, as 
well as providing material support to a terrorist organization. 

More recently, the Al-Qaeda magazine One Ummah featured an article 
which stated that jihadists should engage in “e-jihad” and attempt to hack power 
grids, financial systems, ““emergency response systems and the like” (Johnson, 
2020). In doing so, jihadi actors can engage in “creative ways of dismantling 
the enemy’s electronic and cyber defenses” (Johnson, 2020). These comments 
highlight the clear recognition that cyberspace continues to be a target-rich 
environment for attacks against the West. 

At the same time, there are generally few successes in the broader land- 
scape of known cyberattacks by jihadists. For instance, individuals attempted to 
engage in a DoS attack against the Vatican website after Pope Benedict made 
comments about the Prophet Mohammad and Islam which were viewed as 
critical of their faith (Denning, 2010). Individuals involved in the e-jihad also 
planned a coordinated series of attacks against US financial institutions and the 
stock exchange in 2006. All of these attacks failed to materialize, calling into 


question the skill of the attackers relative to the preparations taken to defend 
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against such attacks (Alshech, 2007; Denning, 2010; Gross & McMillan, 2006). 
This should not be taken as an indication that Al Qaeda, ISIS, and the e-jihad 
should not be taken seriously, but rather that they recognize the value of the 
Internet and are searching for ways to leverage it toward effective attacks. 

This chapter provides substantive detail on the role of the Internet in facil- 
itating communications, fundraising, and planning for terror groups. There is, 
however, scant evidence of actual cyberattacks performed by terrorist groups. 
Pundits and politicians have heralded this potential for almost two decades since 
the coining of the phrase “digital Pearl Harbor.” 

As a result, some scholars argue that the absence of actual evidence of attacks 
coupled with the expansion of the information collection and security apparatus 
of governments leads to a distinct conclusion: cyberterror is a social construction 
(Furedi, 2005; Yar, 2013). Specifically, the threat posed by terrorism is built up 
by media and seized upon by claims makers. The resulting public support can 
be used as a means to gain greater control over resources like the Internet and 
impose restrictions and surveillance on user activity. This position is supported 
by the recent revelations regarding the US National Security Agency’s (NSA’s) 
access to email and phone records, as well as a larger global surveillance mecha- 
nism (discussed later in this chapter). 

This is a challenging position as the general public does not gain access to 
information on attacks against government systems and critical infrastructure. 
The classification of information makes it difficult to know the reality of ter- 
rorist group capabilities or their use of cyberattacks (Denning, 2010). At the 
same time, there has been a massive build-up in security spending and resource 
allocation to government agencies for what are otherwise extremely rare events 
(Yar, 2013). In the end, it is necessary to consider this position and ask, “What 


is the correct balance between national security and citizens’ rights?” 


Legislating Extremism and Cyberterror 


The Internet and CMCs clearly provide a mechanism for individuals to spread 
hurtful messages and ideas based on prejudice, racism, and other ideological and 
political stances. There is some tension in how to sanction hate speech, as nations 
like the United States protect freedom of speech under the First Amendment 
to the Constitution. The only real way that speech is limited in this country is 
through the “imminent danger” test, where one’s comments are unprotected 


if the speaker attempts to incite dangerous or illegal activities (Abrams, 2012). 


Recognizing that the Internet dramatically increases the risk of exposure to 
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hurtful ideas and prospective radicalization of individuals toward violence, the 
Obama administration began to take steps to combat the problem of domestic 
and foreign terror and extremist groups without changing existing protections 
to free speech. 

The White House released a policy and strategy document in August 2011 
titled “Empowering Local Partners to Prevent Violent Extremism in the United 
States.” This document detailed their desire to use a community-based approach 
to reduce the problem of extremist groups and violent behavior through the inte- 
gration of law enforcement and public private partnerships with stakeholders in 
local communities (White House, 2011). It was argued that religious leaders 
in mosques and Islamic centers of worship, as well as schools and community 
groups, should be brought together in order to foster trust between commu- 
nity residents, law enforcement, and the federal government. In fact, this strat- 
egy involved multiple federal agencies ranging from the Treasury, Department 
of Defense, Department of Justice, Department of Homeland Security (DHS), 
and the Federal Bureau of Investigation (FBI) (White House, 2011). The hope 
was that these inter-agency and community partnerships could better improve 
the scope of engagement with communities on issues that they were concerned 
about, and develop better partnerships that would make communities resilient 
to radicalization, whether from online groups or those in the real world. 

The United States is an isolate with regard to its equal protection of free 
speech, as many nations around the world have criminalized hate speech in 
some form. The United Kingdom’s Public Order Act 1986 criminalized expres- 
sions of threats, abusive, or insulting behavior to any group of persons based on 
their race, color, ethnicity, nationality, or ethnic origin with a punishment of 
up to seven years in prison and/or a fine (Mendel, 2012). This law was amended 
in 2006 to include religious hatred and again in 2008 for protection of sexual 
orientations (Mendel, 2012). Similar legislation is present in Australia, Canada, 
Denmark, France, Germany, the Netherlands, Singapore, and South Africa 
(Mendel, 2012). Though these statutes do not primarily identify the Internet 
as a venue for the communication of hate speech, the laws can be extended to 
these environments. 

The European Convention on Cybercrime (CoC) also includes language 
criminalizing the use of the Internet in order to disseminate hate speech. Specif- 
ically, the CoC identifies “racist and xenophobic material,” including writing, 
images, videos, and any other content that is designed to promote or encour- 
age hate or discrimination against any group (Brenner, 2011). The distribution 
or posting of such material online is defined as criminal under the CoC, as 
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is making online threats to any person on the basis of their racial, ethnic, or 
religious background, and the distribution of information that denies or other- 
wise attempts to misinform individuals regarding genocide and crimes against 
humanity (Brenner, 2011). This legislation has tremendous value in addressing 
the development and radicalization of individuals through the Internet, particu- 
larly white supremacist movements. 

In addition to hate speech, many of the examples provided throughout this 
chapter reflect the use of hacking techniques in furtherance of terror or extrem- 
ist group plots. As a result, several nations have extended their laws pertaining 
to computer hacking so that they can be applied to these offenses (see Chapter 3 
for more detail). For instance, one of the few nations to specifically use the lan- 
guage cyberterror in their legislation is India, which amended its Information 


Technology Act, 2000 to recognize cyberterror as: 


When an individual with intent to threaten the unity, integrity, security, or 
sovereignty of India or strike terror in the people by 

a) Denial of access to a computer resource 

b) Penetrating or accessing a computer resource either without authorization or 
exceeding authorized access 

c) Introducing or causing the introduction of a computer contaminant (e.g. 
malware) that may cause injury to persons or death, damage or destruction 
of property, or adversely affect critical information infrastructure 

d) Accessing a computer resource without authorization or exceeding access to 
obtain information, data, or a database that is restricted due to state security 
concerns in order to cause injury to the State, its security, or relationships 
with other nations 


Anyone who is either found guilty of engaging in these behaviors or conspires 
to commit them can be imprisoned for life. 

The United States expanded the Computer Fraud and Abuse Act following 
the 9/11 attacks through the introduction and passing of the Uniting and 
Strengthening America by Providing Appropriate Tools Required to 
Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001. This 
Act strengthened the existing CFAA laws to include any computer in the world 
so long as it is “used in a manner that affects interstate or foreign commerce or 
communications of the United States” (Brenner, 2011). This provision enables 


US law enforcement to engage in investigations in foreign countries, so long 


as the investigation is recognized as legitimate by that nation. In addition, the 
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PATRIOT Act modified the law to also include any unauthorized access to a 
computer or network that: 


1 modifies or impairs access to medical data; 

2 causes physical injury to a person; 

3 poses a threat to public health or safety; or 

4 damages a computer used by a government entity in the administration of 


justice, national defense, or national security. 


Though this language does not specifically recognize cyberterror, the expansion 
of the statute enabled greater latitude for federal law enforcement to pursue 
cybercriminals and more effectively prosecute those who would target either 
critical infrastructure or sensitive data sources that could cause significant harm 
in the real world. 

In addition, the PATRIOT Act also relaxed the legal provisions needed for law 
enforcement agencies to engage in surveillance of electronic communications. For 
instance, the Act revised provisions of the Electronic Communications Pri- 
vacy Act (ECPA) related to subpoenas of Internet Service Providers (ISPs) and 
cable companies. The Act enabled law enforcement to obtain the name and address 
of subscribers, along with their billing records, phone numbers called, duration 
of sessions while online, services used, communication device information, and 
other related data. The release of such information can enable law enforcement 
to more effectively trace the activities of a user to specific websites and content 
during a given session of Internet use. In addition, the ECPA now defines email 
that is stored on a third-party server for more than 180 days to be legally viewed 
as abandoned. As a result, law enforcement can request this data and the content 
of the email, whether opened or unopened, be turned over without the need for 
judicial review. Finally, the PATRIOT Act allowed ISPs to make emergency 
disclosures of information to law enforcement in instances of extreme physical 
or virtual threats to public safety. Such language allows for greater surreptitious 
surveillance of citizens with minimal government oversight or public awareness. 

At the state level, there is generally little legislation that exists with regard to 
cyberterrorism. Arkansas, Connecticut, Georgia, Illinois, Indiana, and West Vir- 
ginia all have statutes that directly or indirectly relate to cyberterrorism (Brenner, 
2011). For example, Arkansas recognizes an act of terror as any act or series of 
two or more acts that attempt to disable or destroy data, computers, or computer 
networks used by industry, government, or contractors. Connecticut more nar- 
rowly defines an act of “computer crime furtherance of terrorist purposes” as an 
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attempt to use computer crimes in order to intimidate or coerce either the gov- 
ernment or civilian populations. Georgia has criminalized the use of a computer 
in order to disseminate information related to terrorist activities (Brenner, 2011). 
The lack of state-based legislation may stem from the recognition that an act of 
terror, whether virtual or real, will more immediately fall under the investigative 
responsibility of the federal government. At the same time, the presence of such 
legislation suggests these states are progressive in their thinking about these issues 
and may serve as models for other states across the country. 

Other nations have adopted similar language to that of the USA PATRIOT 
Act, such as Canada’s Anti-terrorism Act of 2001, which changed standards for 
the interception of domestic communications of all kinds (Brenner, 2011). For 
instance, this law allows the Communications Security Establishment of Canada 
(an analog to the NSA) to intercept communications that either begin or end 
in Canada and involve a foreign source. Prior to this law, any domestic infor- 
mation acquired in the process of an international intercept would have been 
destroyed or ignored. Though there has been substantive public debate sur- 
rounding the legitimacy of these new laws, the Canadian government has not 
moved to strike them down. Similar legislation in Australia and New Zealand 
has, however, been repealed due to the perception that they are too extreme 


and degrade public trust in government (Rid, 2013). 


Investigating and Securing Cyberspace from 
the Threat of Terror 


The landscape of agencies responsible for dealing with the threat of terror 
and extremism in online spaces is varied, and reflects a whole of government 
approach adopted by many nations over the last two decades. This section will 
consider the range of national and federal agencies tasked with enforcing the 


existing laws by place. 


The Federal Bureau of Investigation 


As noted earlier, the FBI plays a critical role in the investigation of both tra- 
ditional crimes and cybercrimes. In fact, the investigation of terror attacks and 
foreign intelligence operations are among the top priorities of the Bureau. The 
National Security Branch (NSB) of the FBI is designated with the task of 


gathering intelligence and coordinating investigative efforts to disrupt terrorist 


groups and foreign intelligence groups (FBI, 2021). 
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The NSB was established in 2005 as a result of a presidential directive to 
combine the mission and resources of the counterterrorism, counterintelligence, 
and intelligence mission of the bureau under a single unit. This branch includes 
five components: (1) the FBI’s National Joint Terrorism Task Force 
(JTTF) which manages 104 JTTFs linking multiple federal law enforcement 
agencies together, shares intelligence, and works cooperatively on terrorism 
investigations; (2) the Counterintelligence Division to affect traditional and 
non-traditional espionage and intelligence gathering in the United States (see 
Chapter 11); (3) the Weapons of Mass Destruction Directorate (WMDD) 
designed to reduce the threat and proliferation of nuclear, biological, and chem- 
ical weapons; (4) the Terrorist Screening Center, which generates actionable 
intelligence for state and local law enforcement agencies and maintains the con- 
solidated Terrorist Watchlist; and (5) the High-Value Detainee Interrogation 
Group that actively collects information from terror suspects in order to gain 
information to deter attacks against various targets (FBI, 2021). The Terrorist 
Explosive Device Analytical Center (TEDAC) also operates within this area as 
a resource to analyze improvised explosive devices (IEDs) designed and used by 
terrorist actors. The TEDAC serves as the hub for all analyses of such weapons 
across the whole of government, including the military (FBI, 2021). Thus, the 
FBI plays a critical role in both law enforcement, homeland security, and the 


intelligence community generally. 


For information on the recent DOJ indictment of two Russian spies 
allegedly responsible for Yahoo hacks, go online to: http://www. 
cnn.com/2017/03/14/politics/justice-yahoo-hack-russia/index.html 


The Department of Homeland Security 


The Department of Homeland Security (DHS) is a cabinet-level depart- 
ment which consolidated various federal agencies under a single department 
heading. Created in 2001 following the September 11 attacks, DHS handles 
civilian infrastructure and populations within the borders of the United States 
(DHS, 2021). Their mission includes a variety of agencies focused on tradi- 
tional physical resources, such as Immigration and Customs Enforcement (ICE) 
and the Transportation Safety Administration (TSA), and finance via the Secret 
Service. In addition, the DHS Homeland Security Investigations (HSI) section 
within ICE has multiple roles in the response to terror threats in the United 
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States. The National Security Investigations Division has the responsibility 
to respond to terror and crime threats as they move through the US border 
and throughout the nation. Specifically, the Counterterrorism and Criminal 
Exploitation Unit focuses on the identification of terror and crime threats 
through the US border system, particularly through identity document and visa 
monitoring (ICE, 2021). 

Additionally, DHS operates a National Security Unit through its DC head- 
quarters as a unifying body to synchronize and integrate intelligence and oper- 
ational practice into a single strategic response to terrorism. They manage DHS 
responsibilities on the FBI’s JT'TFs to combat threats to national security, with 
particular focus on economic offenses and border crossing detection. Addition- 
ally, the NSU Counterterrorism Sections (CTS) supports the DHS HSI coun- 
terterrorism training and coordinating staffing needs to the JTTFs. 

ICE HS] also operates the Office of Intelligence to collect information on var- 
ious aspects of illicit commerce and the movement of potential threats through 
the United States and its partners. The primary unit of the office responsible 
for collect intelligence on credible threats is the Intelligence Analysis Division. 
They produce reports, briefings, and direct information to appropriate agencies 
to facilitate criminal investigations across ICE (DHS, 2021). The Trade and 
Financial Crimes Unit (TFCU) produces similar information associated with all 
manner of the criminal economy, inclusive of smuggled goods detected at the 
border to money laundering investigations. The National Security and Pub- 
lic Safety Unit collects information on various foreign and domestic threats, 
including attempts to target critical infrastructure on and off-line. Additionally, 
the Collections Division focuses on the dissemination of timely sensitive infor- 
mation to all appropriate entities involved in homeland security to improve the 
response to crime and terror (DHS, 2021). Finally, the Intelligence Integration 
and Emergency Management (IEMO) Division provides resources to link fed- 
eral and state agencies, facilitate information sharing, coordinate the response to 
natural and man-made threats across ICE, and collect information on various 
threats reported to ICE (DHS, 2021). 

The role of cybersecurity and its link to terrorism and critical infrastructure 
protection has also grown substantially within DHS over the last decade. DHS 
now operates the Cybersecurity and Infrastructure Security Agency 
(CISA) which plays multiple roles in coordinating cybersecurity strategies, 
along with communications in the event of major emergencies and disasters 
(DHS, 2021). One of the key components under this Office is the National 
Cybersecurity and Communications Integration Center (NCCIC), which 
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opened on October 30, 2009 (DHS, 2021). The NCCIC’s mission is to mini- 
mize the likelihood of successful attacks against both critical information tech- 
nology and communications networks. The NCCIC also serves to connect 
multiple government organizations together in order to protect computer sys- 
tems and networked infrastructure in general. It also plays a role in linking the 
public and private sectors together in order to help promote information sharing 


and improve the state of cybersecurity through awareness of emerging threats. 


For more on the organizational structure of the US DHS, go 
online to: https://www.dhs.gov/organizational-chart 


Within the NCCIC, there are four operational branches. First, the NCCIC 
Operations and Integration branch (NO&lI) serves as the hub for planning, 
coordinating, and integrating all capabilities across the NCCIC (DHS, 2021). 
Second, the National Coordinating Center for Communications (NCC) serves 
as the hub for any efforts to either restore or initiate telecommunications ser- 
vices and facilities on behalf of National Security and Emergency Preparedness. 

Third, the US-Computer Emergency Readiness Team, or US-CERT, 
serves as a response center and information clearing house for cyberthreats 
across the world (DHS, 2021). The CERT provides reporting mechanisms for 
vulnerabilities and threats to systems, as well as security tools to help patch and 
protect systems from attack (DHS, 2021). The CERT can also serve to analyze 
and track threats as they evolve for virtually any branch of government and 
civilian networks. They also operate multiple educational forums, webinars, and 
educational resources to enable information sharing on cybersecurity threats to 
various industry sectors (DHS, 2021). 

Finally, an Industrial Control Systems Cyber Emergency Response Team 
(ICS-CERT), which plays a similar function to the US-CERT, but focuses 
solely on control systems used in critical infrastructure and systems, such as 
water and energy providers. The ICS-CERT can also provide incident response 
operations to restore services and analyze attacks. They also serve as a key point 
of communication between the private and public sector to share information 
on control-system related threats (DHS, 2021). 

The federal response to terror threats also links to state and local agencies 
in the United States through fusion centers as a means to share and investi- 
gate threats within a given area (Chermak et al., 2013; Coburn, 2015). Fusion 
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centers became a part of the national response to terror in 2003 as a joint effort 
of the DHS and the Office of Justice Programs to improve communication 
of intelligence gathering (Coburn, 2015). Fusion centers not only receive and 
develop investigative leads from federal sources, but also collect and pass rele- 
vant information to federal, state, and local entities which may be affected (see 
also Chapter 2 for detail). 


Other Nations’ Responses to Cyberterror 


Other nations utilize similar mechanisms to secure various infrastructure from 
both cyberthreats and traditional terrorism. For instance, the Centre for the 
Protection of National Infrastructure (CPNI) in the United Kingdom 
exists to inform critical infrastructure owners of emerging threats and coordinate 
responses in the event of a compromise (CPNI, 2014). Similarly, Australia now 
has the Critical Infrastructure Center which was founded on January 23, 
2017 to coordinate the response to threats to the nation and its territories against 
the various systems and networks (Australian Government Attorney General’s 
Department, 2017). 

Additionally, multiple Western nations operate collaborative policing 
units to support counterterrorism operations. In the United Kingdom, the 
National Counter Terrorism Policing Network (NCTPN), or Police 
Counter-Terrorism Network links multiple national agencies, military, and 
regional police agencies under a single roof. The NCTPN directs efforts through 
11 dedicated Regional Counter Terrorism (CTU) and Regional Counter Ter- 
rorism Intelligence (CTIU) Units to operate across the United Kingdom, as 
well as through national units (Counter Terrorism Policing, 2018). The CTUs 
focus on police and investigation efforts to disrupt terrorist activities, while the 
CTIUs produce and disseminate actionable intelligence on threats from foreign 
and domestic actors (Counter Terrorism Policing, 2018). 

The Canadian Integrated National Security Enforcement Teams 
(INSET) operate similar structural policing efforts against terrorism through the 
federal Public Safety Canada. There are five of these teams across the country, 
which formed in 2002 after the 9/11 attacks in the United States. The Aus- 
tralian Federal Police (AFP) also operate Joint Counter Terrorism Teams 
(]CTTs) in each of the states and territories across the country (AFP, 2022). 
They also operate the National Disruption Group (NDG), which detects and 
prevents the travel of individuals who seek to engage in terrorism or seek train- 
ing abroad (AFP, 2022). 


407 


Online Extremism and Cyberterror 


408 


Summary 


This chapter demonstrates the complex and very real threat that is posed by acts 
of online extremism and cyberterrorism, including the application of hacking 
techniques in furtherance of ideological agendas. These threats require a sophis- 
ticated response from law enforcement at all levels of government in order to 
properly defend against attacks. At the same time, it may not be immediately 
clear when an attack is motivated by an extremist agenda or when it is simply 
criminal. Thus, the problem of cybercrime, hacktivism, and cyberterror will 
involve investigative resources and initiatives to determine the origins of an 
attack and the actors responsible. This issue will continue to evolve along with 
technology adoption and use across the globe. Hopefully, however, we will not 
experience an electronic Pearl Harbor incident in the years to come. 
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Joint Terrorism Task Force (JT TF) 
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National Counter Terrorism Policing Network (NCTPN) 

National Joint Counter Terrorism 

National Policy Institute (NPI) 
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Uniting and Strengthening America by Providing Appropriate Tools 
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Discussion Questions 


1. How should we define or view the activities of Anonymous? They hack 
government targets, civilians, and industry. As such, should their actions 
be viewed as cybercrime, hacktivism, or cyberterror? Why? 

2. What real-world events, whether political, military, or social, could trig- 
ger a cyberattack? Why? 

3. Why is it necessary to have a combined and coordinated set of agencies 
linking local to national/federal responses to terrorism and extremists? 

4. Are free speech concerns in the United States enough to justify not man- 


aging or legislating against hate speech online? 
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Chapter Goals 


e Define cyberwarfare and its relationship to traditional or kinetic warfare 

e Understand how nation-states may utilize the Internet as an attack vec- 
tor in a different way than individual citizens with no state sponsorship 

e Define and understand disinformation as a form of cyberwarfare 

e Recognize the agencies responsible for offensive and defensive warfare 


actions in online spaces 


Introduction 


In 2015, the US Office of Personnel Management (OPM) notified the 
public that their systems had been compromised by an external source, leading 
to a data breach (Fruhlinger, 2020). Though data breaches are extremely com- 
mon, this incident was unlike others as the OPM maintains extremely sensitive 
records about the government’s workforce. Specifically, OPM maintains a data- 
base of the background paperwork employees complete to obtain security clear- 
ances for various jobs, called the SF-86 form (Fruhlinger, 2020). The contents 
of these forms includes massive amounts of detail, including financial records, 
drug and alcohol use, the places individuals have lived throughout their lives, 
and their fingerprints. The loss of millions of these records creates a substantial 
risk to US national security, as the information collected from SF-86 forms are 
used to help decide what level of security clearance an individual may obtain 
(see Box 11.1 for detail). Ifa person has substantial debts, personal problems, or 
other issues that could be used to coerce them into providing secret informa- 
tion, they are less likely to receive a high clearance (Fruhlinger, 2020). 

The loss of this extremely sensitive information was traced back to 2013, 
almost two full years before the breach was announced. Attackers were able to 
compromise various contractor systems, as well as OPM and the Department of 
Interior using malware and other tools to finally gain access to the sensitive data 
they sought (Fruhlinger, 2020). After what is thought to be 18 months of slow, 
careful attacks, the entities involved were able to exfiltrate over 4.2 million 
records from government systems (Fruhlinger, 2020). 

Though it is not entirely clear who performed the hacks, evidence sug- 
gests that state-sponsored hackers associated with China were involved. The 
tools used were associated with Chinese-language hacker groups and had been 


used against political activists in Hong Kong and Tibet (Fruhlinger, 2020). 
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Box 11.1. An Opinion on the Risk of Data Breaches 
to National Security 


Why the OPM Hack Is Far Worse than You Imagine 


https://www.lawfareblog.com/why-opm-hack-far-worse-you-imagine 


The scale of the OPM breach is larger and more harmful than appreci- 
ated, the response to it has worsened the data security of affected indi- 
viduals, and the government has inadequately addressed the breach’s 


counterintelligence consequences. 


This article, written as an opinion piece, provides a critical assessment 
of the impact that a data breach, such as the OPM hack, has on the state 
of US national security. The author provides a detailed breakdown of 
the sensitive nature of the data obtained and the rather detailed decision- 
making involved in assigning security clearances to employees. Readers 
will garner a much more robust appreciation for the scope of this breach 


and its potential harms. 


A number of US government employees were also reassigned from duties in 
China following the breach, which is also thought to support the role of China 
in the hack. Finally, the data taken by the hackers clearly relates to the interests 
of a foreign government (Fruhlinger, 2020). Having clear information on the 
individuals within a rival government who may be easily swayed into providing 
sensitive information would be invaluable so as to improve their intelligence 
collection practices. 

This hack is unfortunately just one in a long campaign of Chinese efforts 
against US government targets in cyberspace. In fact, the security firm Mandiant 
(2013) published a report linking multiple years of attacks to a single unit of the 
People’s Liberation Army of China (PLA) that was previously unidenti- 
fied. This group, designated Unit 61398 in the 3rd Department of the General 
Staff Department (GSD) of the PLA, is thought to be staffed by dozens, if not 
hundreds, of workers with specialized knowledge of computer security and 
network attacks. The unit has actively compromised various targets for years, 
including attempts to gain access to companies managing electrical grids and 


pipelines for oil and gas. In addition, the attackers were able to stay inside of 


targeted systems for up to a year at a time and maintain backdoor access to 
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systems. As a result, Mandiant refers to their attacks as Advanced Persistent 
Threat (APT) 1 due to their persistence and effectiveness. 


For more on the APT1 report, go online to: http://intelreport. 
mandiant.com/Mandiant_APT1_Report.pdf 


The persistence of high-level attacks with direct connections to the military 
demonstrates that the online environments we depend on for all aspects of mod- 
ern life are also a hotbed for attacks between nations around the world. These 
attacks present clear risks to virtually all citizens of the world, though it is not 
clear how well these issues are understood. This chapter will identify the role of 
nation-states in cyberattacks, define the concept of cyberwarfare, and recognize 
its various forms. The government and military entities involved in both the 
attack and defense of national resources will also be discussed in detail. 


Defining Warfare and Cyberwarfare 


As cyberspace plays an increasingly critical role in managing the everyday 
aspects of communication and critical infrastructure, governments and military 
agencies are increasingly attempting to establish their role in cyberspace. With 
that in mind, we must define a nation-state and contextualize its relationship 
to warfare. Creveld (1999) argues that a nation-state has three characteristics: 
(1) sovereignty, (2) territoriality, and (3) abstract organization status. Sover- 
eignty involves the authority or power to rule as well as make and enforce laws 
within a given area. Territoriality recognizes that a state or governing body 
exerts power within specific, recognized borders (Creveld, 1999). The idea of 
“abstract organization” involves the concept that each state has a distinct 
and independent persona, which is separate from that of its people. Specifically, 
the state is a political entity, while the culture and/or ethnic composition of a 
place makes up its national identity (Creveld, 1999). For instance, the United 
States utilizes a democratic system of government, while its national identity is 
one that is a cultural mélange of various heritages and backgrounds based on the 
influx of immigrants over time. 

National sovereignty and territorial control is critical to the rationale for why 
cyberspace, which is technically borderless, must be controlled through various 
means. A nation is thought to have the right to defend itself and its interests 
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from harm, including the use of force when necessary (Andress & Winterfeld, 
2013; Rad, 2013). As a result, nations have the authority to form and maintain 
standing military forces to use for the purposes of self-defense and proactive use 
of force when warranted. At the same time, there should be a clear and justifi- 
able cause for any use of force, and it should be viewed as an act of last resort 
(Andress & Winterfeld, 2013; Rid, 2013). In fact, nations typically employ dif- 
ferent strategies before choosing to engage in the use of force, such as diplo- 
matic negotiations with a foreign power or economic sanctions to attempt to 
produce an outcome (Andress & Winterfeld, 2013; Lancelot, 2020). 

These principles are referred to as jus ad bellum or the notion of just war 
as a means to ethically guide conflict and minimize harm as a result of violence 
in physical settings (Andress & Winterfeld, 2013). Nations can defend their bor- 
ders, whether on land, sea, or air. There is, however, no single agreed-upon 
definition for warfare, even among the United Nations. The historical literature 
on war and warfare tactics, however, suggests that it can be viewed as an act of 
force or violence that compels the opponent to fulfill the will of the victor 
(Andress & Winterfeld, 2013; Brenner, 2008; Schwartau, 1996). There are a set 
of principles that should guide the actions of combatants recognized as the the- 
ory of jus in bello or how to act in war (Rid, 2013). The Geneva Conven- 
tion and various international laws are currently in place as a means of 
standardizing rules of engagement that produce the least harm to participants. 
For instance, the use of chemical or biological weapons can cause extreme phys- 
ical pain to combatants, easily affect civilian populations, and potentially cause 
mass losses of life. Thus, there are now multiple international laws and agree- 
ments intended to reduce its use in conflicts around the world (Andress & Win- 
terfeld, 2013; Lancelot, 2020). 


For more on the Geneva Conventions and its role in defining the 


standards for modern warfare, go online to: https://ihl-databases. 


icrc.org/applic/ihl/ihl.nsf/vwT reaties1949.xsp 


Many industrialized nations recognize the threat that cyberattacks can pose 
to military and governmental infrastructure. Some consider cyberspace to be 
a new warfare domain just like the various physical spaces in which military 
operations occur (Andress and Winterfeld, 2013; Rid, 2013). As a consequence, 


it is necessary to consider how fighting a war in this domain may operate and 
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what constitutes an act of cyberwar. When applied to cyberspace, the use of 
war tactics appears designed to control and affect the activities of an opposing 


2 6 


force. Brenner (2008) defined cyberwarfare as nation-states’ “use of military 
operations by virtual means ... to achieve essentially the same ends they pursue 
through the use of conventional military force” (p. 65). Thus, the domain of 
conflict for cyberwar is different from traditional conflicts in that the operations 
take place in a virtual space (Rid, 2013). 

The weapons of cyberwar are also different from those of traditional combat 
that involves firearms, explosives, and so-called kinetic weapons that affect 
damage to a target. In online spaces, cyberwarfare actors may utilize malware 
and hacking techniques in order to affect system functionality, access to infor- 
mation, or critical infrastructure (Lancelot, 2020; Rid, 2013). The outcomes 
and goals of cyberwar, however, are similar to physical war in that fighters may 
attempt either targeted tactical strikes against a specific target or try to cause as 
much damage as possible to the operational capacity of a nation-state. 

There is no necessary clarity as to whether acts of cyberwarfare must be used 
in response to physical or cyberattacks (Lancelot, 2020; Rid, 2013). Various 
nations have stated publicly that they will use physical attacks proportionally in 
response to certain forms of cyberattack, though there has been little evidence 
of such incidents occurring in practice (Lancelot, 2020). One of the first such 
instances was reported on May 6, 2019, when the Israeli Defense Force 
claimed that it bombed a building in Gaza to eliminate a group of Palestinian 
fighters engaged in a cyberattack against Israeli systems (Newman, 2019). Sim- 
ilarly, the US military reportedly engaged in a cyberattack that disabled Iranian 
military missile and rocket launchers in June 2019. The attack was launched in 
retaliation for Iran shooting down a US drone and broader attacks against oil 
tankers at sea (BBC, 2019). 

These incidents highlight the reality that cyberattacks have become an 
important part of nation-state power, due in part to modern dependencies on 
technology. Nearly all critical systems in modern industrialized nations depend 
on the Internet for commercial or logistic support. For example, water and sew- 
age treatment plants, nuclear, hydroelectric, and other power grids are depend- 
ent on the Internet for command and control (Rid, 2013). Virtually all facets of 
banking, stock exchanges, and economic systems are run through the Internet. 
Even aspects of the military and related defense contractors of the world are 
run through civilian or commercial telephony (Andress & Winterfeld, 2013). 
Any attack that could effectively disrupt the communications capacity of the 
Internet could effectively cripple our society, which would have ripple effects 
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throughout the real world. At the same time, the sensitive data maintained by 
government or military agencies could be compromised and/or stolen in order 
to gain an economic or defensive advantage (Andress & Winterfeld, 2013; Rid, 
2013). Thus, hacking sensitive systems would be an easy and immediate way to 
affect an enemy through cyberwarfare. 

Over the last two decades there have been an increasing number of incidents 
that might practically be viewed as cyberwar (Lancelot, 2020). One of the ear- 
liest examples is the conflict between Russia and Estonia in 2007. A conflict 
developed between Russian and Estonian factions in April 2007 when the Esto- 
nian government removed a Russian war monument from a memorial garden 
in a national cemetery (Brenner, 2008; Jaffe, 2006; Landler & Markoff, 2007). 
The statue, called The Bronze Soldier of Tallinn, was installed as a monument 
to the Russian involvement in World War II and was viewed as a relic from 
Estonia’s time as part of the former Soviet Union. Now that Estonia was its 
own independent nation, the government felt it appropriate to have the statue 
removed (Guadagno et al., 2010). Russian citizens living in Estonia and else- 
where were enraged by this action, leading to protests and violence in the streets 
of both countries. Over 1,300 were arrested during protests in Estonia, many of 
whom were ethnic Russians living in the country. 

The conflict quickly grew into online spaces, with hackers in both Estonia 
and Russia attempting to engage in different hacks and spam campaigns (Bren- 
ner, 2008; Jaffe, 2006). Russian hackers also leveraged online forums and hacker 
sites in order to rally attackers together to increase the volume of their attacks 
and used huge botnets of compromised computers for DDoS attacks (Clover, 
2009; Davis, 2007). The attacks incorporated many individuals who were inter- 
ested in attacking Estonia out of their love and respect for their homeland, many 
of whom had little knowledge of computer hacking. As a consequence, Russian 
attacks were able to shut down critical components of Estonia’s financial and 
government networks, causing significant economic harm to citizens and indus- 
try alike (Brenner, 2008; Landler & Markoff, 2007). The Estonian parliament 
and almost every governmental ministry website were affected. In addition, 
three of the six national news agencies and two of its largest banks also experi- 
enced problems (Clover, 2009). In fact, banks were knocked offline for hours 
and lost millions of dollars due to DDoS attacks (Landler & Markoff, 2007). 


For more on the transformative impacts of the Russia-Estonia 
cyberconflict, go online to: https://www.bbc.com/news/39655415 
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In the wake of this onslaught, the Estonian government accused the Rus- 
sian government of supporting and encouraging these attacks. To date, there 
has been no concrete evidence provided to support Russian state sponsorship 
(Denning, 2010). Many observers, however, have argued this incident is a clear 
demonstration of how nation-states may engage in conflicts in the future. The 
actors involved may be driven by their own sense of duty to their country or by 
actual military doctrine. Regardless, the severity of the attacks demonstrates the 
need to identify how cyber resources might be affected by conflicts in the real 
world. In fact, one of the guiding documents for the legal challenges evident in 
cyberwarfare activities is called the Tallinn Manual due in part to these attacks 
(Lancelot, 2020). 

A more recent example is the appearance of a piece of malicious software 
called Stuxnet. This computer worm was used in attacks against the Natanz 
uranium enrichment facility in Iran (Clayton, 2010; Kerr et al., 2010). Stuxnet 
was designed to specifically compromise and harm computer systems in order to 
gain access to the supervisory control and data acquisition (SCADA) 
systems that are used to run the centrifuges and equipment within these plants 
(Clayton, 2010; Sanger, 2012). Specifically, the code would allow these systems, 
connected to the Internet, to be given commands remotely by the attacker, 
while shielding the actual behaviors of the centrifuges from the plant’s SCADA 
control systems. As a result, attackers could surreptitiously disrupt the plant’s 
ability to process uranium and cause confusion among operators and controllers. 
It is unknown how long the malware was able to operate inside of the facility, 
though estimates suggest it may have impacted 1,000 of the 5,000 centrifuges 
in the plant and delayed the overall functionality of the nuclear plant by months 
or years (Kerr et al., 2010; Sanger, 2012). 


For more information on Stuxnet, go online to: 


1. www.youtube.com/watch?v=n7UVyVSDSxY 
2. www.youtube.com/watch?v=863SNTqy Yto 


Recent evidence suggests that Stuxnet was developed by the United States 
under the Bush administration as evidence grew regarding the Iranian nuclear 
program aspirations. The program, called Operation Olympic Games, was 
proactively implemented by an executive order of President Obama because it 
was thought that this sort of attack would be more targeted, difficult to detect, 
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and produce fewer civilian casualties or collateral damage than a physical strike 
(Sanger, 2012). In addition, the use of this code was thought to have reduced 
the likelihood of a conventional military strike by Israel which would have dan- 
gerous consequences for the region as a whole. 

The United States has not acknowledged any of the claims made related to 
Stuxnet, though its release in the wild has given computer security professionals 
and hackers access to this extremely sophisticated malware. The program may 
serve as a basis for the development of tools in order to exploit or attack critical 
infrastructure across the globe (Brodscky & Radvanovsky, 2010; Clayton, 
2010). The US Department of Homeland Security (DHS) expressed substantial 
concern over the use of Stuxnet-like code in attacks against US power installa- 
tions (Zetter, 2011). Thus, cyberattacks may be an increasingly common way 
for nation-states to engage one another to cause harm. 


For information on US cyber attempts to attack the North 


Korean missile program, go online to: https://www.wired.com/ 


story/cyberattack-north-korea-nukes/amp 


The Role of Nation-State Actors in Cyberattacks 


Though nations have the capacity to defend their territorial boundaries and sov- 
ereignty through force, they face the risk of retaliation from an opposing coun- 
try. This is true in both physical space and online environments, as noted above. 
As a result, some nation-states may utilize their citizen populations to engage 
in illegal activities in order to gain either economic or political advantage over 
another nation (see Box 11.2). For instance, a nation-state might encourage 
individual citizens to engage in the theft of trade secrets or intellectual property 
in order to gain economic advantage over another country they must compete 
with in the open market (Andress & Winterfeld, 2013; Rid, 2013). The originat- 
ing nation may provide indirect economic support to actors in order to facilitate 
their activities, but it does not provide any overt recognition or direct orders that 
can be traced back to the government. Such actions allow governments to tacitly 
perform illegal activities without directly evidence of their support for the act. 
This is particularly observable in online environments, where foreign gov- 
ernments can take various steps to minimize the likelihood of attribution, or 


association of an attack with their government or military (Rid, 2013). One of 


the most notable incidents of the last few years involves a major attack against 
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Box 11.2. The Use of Civilians in Nation-State 
Actions 


Putin’s Angels: The Bikers Battling for Russia in Ukraine 


https://www.theguardian.com/world/2016/jan/29/russian-biker-gang- 


in-ukraine-night-wolves-putin 


He and other bikers actively engaged in Russia’s covert invasion of 
Crimea, swapping leathers for body armour; that summer, they joined 


Ukraine’s separatist insurgency. 


This article discusses the involvement of a Russian motorcycle gang 
called the Night Wolves in the recent Russian invasion and annexation of 
Crimea, a part of Ukraine. The Russian military took part in these actions, 
though they were supported in part by the Night Wolves as an irregular 
force. This article highlights the ways that civilians with tacit nation-state 


backing can help achieve a nation’s goals. 


Sony Pictures Entertainment in the United States. In 2014, a group calling itself 
Guardians of Peace hacked Sony Pictures Headquarters and notified the 
company of the compromise by flashing a message featuring a red skull on every 
employee computer stating: “if you don’t obey us, we'll release data shown below 
to the world” (Robb, 2014). The hackers used a variety of malware tools to 
compromise the network, eventually obtaining as much as 100 terabytes of data 
from the company including personal emails, scripts, and details on all employees. 

The hackers dumped massive amounts of intellectual property and personal 
information online including films that had not yet been released in theaters, 
details on employee salaries, medical histories, and embarrassing email exchanges 
between executives regarding various actors and film projects (Robb, 2014). 
They also threatened Sony employees with physical violence, and eventually 
any US movie theater if they screened the film “The Interview,” a comedy 
where two reporters attempt to assassinate North Korean leader Kim Jong-un 
(Robb, 2014). 

While it is possible that these attacks were driven by individual hackers with- 
out state support, it is important to note the massive quantity of data acquired 
by the hackers and the use of somewhat sophisticated attack tools suggest these 
were no ordinary economically motivated hackers (Zetter, 2016). Additionally, 
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the fact that they targeted Sony Pictures and made no attempt to sell the infor- 
mation they acquired or blackmail the company but rather dumped it online 
in multiple batches over time appears to be designed to embarrass the company 
and its employees (Robb, 2014). The eventual expressed interest of the hackers 
to keep the company from releasing a film that painted North Korea in a nega- 
tive light, even including threats of physical violence (Robb, 2014), is more in 
keeping with the interests of a nation-state rather than that of the larger criminal 
hacker community that seeks access to sensitive data. Finally, the source of these 
attacks have some connections to the nation of North Korea, including the use 
of malware containing Korean-language characters that were identified in sub- 
sequent attacks against South Korean targets (Zetter, 2016). 

All of these points provide circumstantial evidence that the attacks were the 
result of state-sponsored actors working on behalf of the North Korean gov- 
ernment (Zetter, 2016). The lack of concrete evidence to support the role of 
the state in sanctioning this activity makes it difficult to identify a clear policy 
response. It may be best to treat this incident as a crime due to the lack of sub- 
stantial evidence that the North Korean government ordered this attack to take 
place. The totality of circumstances would suggest it is something greater than 
a crime, but the use of a military response may not be appropriate. As a result, 
the US government engaged in a series of economic sanctions against the North 
Korean government in retaliation for the attacks (Robb, 2014). As such, the use 
of actors with no direct ties to a government entity makes it difficult to clearly 


define this incident as an act of crime, espionage, or war. 


Offensive and Defensive Cyber-Operations 


There are three critical aspects of nation-state sponsored activities to affect com- 
puter networks, computer systems, and the data they house (Andress & Winter- 
feld, 2013). The first two focus on offensive activities that nations can take 
against one another in order to understand or affect their practical operations. 
The first is computer network exploitation (CNE), referencing the use of 
various tools and techniques to obtain information about an opposing nation’s 
computer network infrastructure, systems, or data (Andress & Winterfeld, 
2013). Attempts to document the Internet-enabled components of a nation’s 
critical infrastructure, inclusive of government, military, and civilian systems fit 
within this category. For instance, there have been numerous reports over the 


last few decades regarding Russia and China’s attempts to access the US electri- 


cal grid (Lancelot, 2020). Similarly, recent reporting suggests the United States 
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has engaged in the same activities against Russia (Sanger & Perlroth, 2019). 
These efforts are intended to not only map out where and how their systems 
work but also assess potential points of compromise and identify footholds into 
the networks supporting their SCADA infrastructure. 


For more information on nation-state exploitation of power 


grids, go online to: 


1. https://www.vox.com/world/2018/3/28/17170612/russia-hacking-us- 
power-grid-nuclear-plants 

2. https://www.wired.com/story/berserk-bear-russia-infrastructure-hacking/ 

3. https://www.wired.com/story/russian-hacking-teams-infrastructure/ 


Identifying the hardware and software programs used to support a nation 
are critical in the process of exploitation, as an attacking nation can use this 
information to map the vulnerabilities that may be present in their system. As 
noted in Chapter 4, a vulnerability is a flaw that can be used to compromise 
a system through the use of exploits, or a piece of code that is written to spe- 
cifically affect that vulnerability (Andress & Winterfeld, 2013; Taylor, 2001). 
Since nation-states engage in cyberattacks in ways that will not be immediately 
identified, they often utilize previously unidentified, or zero-day vulnerabilities 
and exploits to reduce their likelihood of detection (Rid, 2013). 

To do this, nation-states may actively seek out information on vulnerabilities 
so that they may later be weaponized for attack purposes. For instance, the US 
government operates a bug bounty program that pays hackers to identify vul- 
nerabilities in all manner of programs (Andress & Winterfeld, 2013). They also 
operate what is called the Vulnerabilities Equity Process (VEP), which is a 
high-level review of previously unidentified vulnerabilities performed by repre- 
sentatives of multiple government agencies, including the National Security 
Agency (NSA) (Herpig & Schwartz, 2019). Each vulnerability is reviewed to 
determine whether it should be reported to the public, or remain undisclosed so 


that it can be used in attacks by the government. 


For information on the US VEP program, go online to: https:// 
www.darkreading.com/vulnerabilities—threats/how-the-us-chooses- 
which-zero-day-vulnerabilities-to-stockpile-/a/d-id/1333652 
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The existence of this program was only made known after a group called The 
Shadow Brokers published a trove of hacking tools and previously unknown 
vulnerabilities and exploits online (Schneier, 2017). The group claimed to have 
stolen these materials from the US NSA in 2013, though it is not clear how 
exactly they obtained them. Regardless, the release of this information ena- 
bled hackers to immediately use high-level vulnerabilities in common products, 
including Cisco Internet routers, and the Microsoft Windows operating system 
(Schneier, 2017). The vulnerability noted in Windows operating system soft- 
ware went unreported for over five years, and the NSA only notified Microsoft 
a month before it was disclosed by The Shadow Brokers. Though a patch was 
released in March 2017 to fix the vulnerability known as EternalBlue, many 
systems remained vulnerable to compromise (Perlroth & Shane, 2019). 

Attackers were quick to leverage this vulnerability, and used it in two sepa- 
rate attacks in 2017; the WannaCry ransomware in May and NotPetya mal- 
ware in June (see Box 11.3 for detail). These attacks affected systems around 
the world and are estimated to have caused over $1 billion in damages across 
65 nations (Perlroth & Shane, 2019). Both forms of malware have links to 
nation-states, with North Korea thought to have been involved in WannaCry 
and Russia with NotPetya (Greenberg, 2018). These incidents highlight the 


Box 11.3. The Harm Caused by WannaCry Malware 


Two Years after WannaCry, a Million Computers Remain 
at Risk 


https://techcrunch.com/2019/05/12/WannaCry-two-years-on/ 


WannaCry spread like wildfire, encrypting hundreds of thousands of 
computers in more than 150 countries in a matter of hours. It was 
the first time that ransomware... had spread across the world in what 
looked like a coordinated cyberattack. 


This article provides a brief description of the WannaCry ransomware 
attack and its relationship to the release of the EternalBlue exploit code 
developed by the NSA. This piece also notes that there are still mil- 
lions of computers that are vulnerable to attack through the use of this 
exploit, demonstrating that security patching is not a perfect solution to 


security threats. 
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questionable ethics of nations actively keeping vulnerabilities secret so that they 
may reserve their use in cyberattacks. 

The second offensive action involves so-called computer network attacks 
(CNA), where various efforts can be taken to either affect the functionality 
of computer networks and/or data, or to destroy them completely. Attacks 
like Stuxnet and WannaCry are excellent examples of offensive attacks meant 
to proactively disable resources within a nation. Distributed denial of service 
attacks are another excellent example of such an activity, as the attacks make a 
service unavailable to those who need it. For instance, in 2009, a series of DDoS 
attacks affected South Korean and US websites associated with both govern- 
ment and commercial entities (Weaver et al., 2009). These attacks rendered 
various services unusable for periods of time, including the US State Depart- 
ment, the Korean government Assembly and their president’s website (Sang- 
Hung and Markoff, 2009). These attacks ran from July 4 to July 10, which 
correspond to a North Korean missile launch which occurred on July 4th and 
the 15th anniversary of the death of the North Korean dictator, Kim I] Sung 
on July 8th (Sang-Hung and Markoff, 2009). These factors, along with forensic 
analysis results, suggest that North Korean government actors may be to blame 
for these attacks (Zetter, 2016). 

Another key example of offensive attack operations to affect military tar- 
gets was identified in 2016 by researchers examining the activities of Russian 
state sponsored hackers (Volz, 2016). The Russian military intelligence has been 
linked to an attack against the Ukraine Army’s Howitzer artillery equipment. 
These cannons are able to fire large scale shells to cause serious harm to ground- 
based targets. The Howitzers operate based in part on targeting information 
provided by an Android-software application created by a legitimate source 
(Volz, 2016). Evidence suggests Russian attackers hid a piece of malware in 
versions of the application and posted it online in places that Ukrainian soldiers 
were likely to visit and download it for use in the field. The malware ena- 
bled Russian military actors to trace the physical locations of the users via the 
application, and in turn, better target those systems with physical attacks (Volz, 
2016). Reporting on the equipment losses due to direct attack suggests that 
these Howitzers were more likely to be disabled or destroyed since the malware 
was in the field. 

The final activity involves defensive actions on the part of governments and 
military organizations, referred to as computer network defense (CND). 
This term encompasses the range of strategies nation-states can employ to pro- 
tect networks and data from harm, inclusive of software and hardware solution 
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Box 11.4 Understanding the Risk of Social 
Engineering as a Tool for Cyberattack 


Warning as Iranian State Hackers Target LinkedIn Users with 
Dangerous New Malware 


https://www.forbes.com/sites/zakdoffman/2019/07/22/critical- 
linkedin-warning-as-irans-hackers-send-fake-invites-laced-with- 
malware/?sh=4be8a45c6ac1 


The campaign has been targeting LinkedIn users with plausible but 
bogus invitations to join a professional network and emailed attach- 
ments laced with malware that seeks to infect systems with a hidden 
backdoor and steal data and credentials. 


This article provides an overview of a phishing and cyberattack scheme 
implemented by the Iranian military to target Western nations. The author 
describes the methodology of the attackers and highlights that nation-state 
hackers will constantly evolve their methods to improve their likelihood 


of success. 


like firewalls and antivirus software (Andress & Winterfeld, 2013). Addition- 
ally, educational campaigns are essential to help reduce the risk that individuals 
respond to phishing emails, compromised applications, and social engineering 
campaigns targeting people through both internal and external systems like 
social media (see Box 11.4 for example). 

Network defense is arguably the most challenging component of cyberwar- 
fare, as there is no single solution to minimize the threat from nation-state actors 
(Andress & Winterfeld, 2013; Rid, 2013). Attacks can take multiple forms, and 
most nation-state groups will utilize attack strategies that are extremely difficult 
to identify while they are happening (Volz, 2016). Defenders must also recog- 
nize all the different surfaces they have to protect, from computers to mobile 
devices to weapons systems that utilize computers. Finally, military and govern- 
ment systems are connected to civilian companies and infrastructure through 
employees and contracting relationships (see Box 11.5; Andress & Winterfeld, 
2013). As a result, network defenders must design strategies that incorporate 


those networks and minimize the potential that attackers access their systems 


through private targets. 
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Box 11.5 Small Businesses Matter in Military 
Cybersecurity Planning 


Hawaii Wants to Form a Defense Industry Alliance 
for Local Businesses 


https://www.civilbeat.org/2021/02/hawaii-wants-to-form-a-defense- 


industry-alliance-for-local-businesses/ 


“We're kind of the connective tissue that brings those folks together, 
where it’s the local officials, academia, industry, and the military,” 
he said. 


The military already works closely with the University of Hawaii. The 
Air Force pays for UH’s Maui High Performance Computing Center 
and the Navy helped create its Applied Research Lab at UH Manoa. 


This article provides an overview of a plan being developed in Hawaii to 
help connect businesses more directly to the military entities operating 
within the state. Despite its small size and remote location, Hawaii is just 
behind Virginia for defense spending as a driver for its local economy. 
Thus, the state is seeking a way to help businesses tap into the defense 
industry, particularly around cybersecurity. 


National network defense strategies are also not prominently advertised 
or explained in order to minimize their potential to be defeated by attackers. 
Despite this challenge, one of the more prominently acknowledged strategies 
for network defense in the United States is a program called EINSTEIN. 
This system was designed to engage in proactive intrusion detection of gov- 
ernment systems and potentially isolate those attacks in process (CISA, n.d.). 
It is currently housed within the Department of Homeland Security 
Cybersecurity and Infrastructure Agency (CISA), as a means to protect 
the civilian agencies within the US government. 

Though extremely complex in operation, the EINSTEIN program appears 
to operate by examining the general Internet traffic within civilian government 
agencies and utilizing this information as a means to establish a baseline for 
traffic patterns (CISA, n.d.). When Internet traffic deviates from that norm, 
the system can then consider if this constitutes an anomaly and is potentially 
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Box 11.6 The Challenge of Using Active Defense 
Tools in Practice 


Why the “Biggest Government Hack Ever” Got Past the Feds 


https://arstechnica.com/information-technology/2015/06/why-the- 


biggest-government-hack-ever-got-past-opm-dhs-and-nsa/ 


Put simply, as new capabilities for Einstein are being rolled out, they’re 
not keeping pace with the types of threats now facing federal agencies. 
And with the data from OPM and other breaches, foreign intelligence 
services have a goldmine of information about federal employees at 


every level of the government. 


This article provides a brief exploration of the ways that the use of the US 
EINSTEIN system failed to stop the Office of Personnel Manage breach, 
which caused millions of pieces of personal data to be lost. The piece notes 
that the attack techniques used by nation-state actors can easily blend in 
with general Internet use patterns, making it difficult to identify them 
while they occur. The article also provides an excellent explanation of the 
reasons why cyberdefense requires constant revision to keep pace with 


changes in attack practices over time. 


malicious. At that time, the system can actively attempt to actively mitigate this 
traffic in different ways and share that information with the whole of the gov- 
ernment to minimize future attacks from being successful (CISA, n.d.). Such 
active surveillance is extremely important but is not a perfect solution to stop all 
attacks (see Box 11.6 for more detail). As a result, there is a need for constant 
updating and improvement of security measures to minimize the likelihood of 


successful attacks. 


Information Warfare Campaigns Online 


Besides overt or covert cyberattacks, governments are increasingly using 
cyberspace as a platform to engage in information warfare campaigns 
against various nations. Information warfare involves the use of informa- 
tion and communications technology to gain advantage over an opponent 
and can involve multiple strategies to collect information from an opponent 
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Box 11.7 How the Creative Arts Can Be Used for 
Disinformation and Misinformation 


The Artists Who Outwitted the Nazis 


https://www.bbc.com/culture/article/20210223-the-artists-who- 
outwitted-the-nazis 


In the new age of aerial surveillance, camouflaging troops was a critical 
necessity, and with their insights about light, shade and perspective, 
painters and sculptors had just the talents for the job. For the first time, 
artistic skills became weaponised. 


This article provides an overview of the ways that artists and theatrical 
tricks were used by Allied forces to create optical illusions to fool Axis mil- 
itary forces during World War II. There is also a discussion of the so-called 
Ghost Army, a division of US special troops, who created inflatable tanks 
and equipment coupled with artificial lights and sounds to suggest entire 
battalions of soldiers were on the move. This disinformation was invalu- 
able to fool Nazi and Axis forces and shift focus from the actions of real 
troops. Readers will benefit from this information to better understand the 


role of information warfare in combat. 


or spread your own information (Andress & Winterfeld, 2013). Nations 
can use print media, radio, television, and other methods to further their 
interests and spread false information, called disinformation (see Box 11.7 
for detail). The Internet has become a critical resource to spread disinfor- 
mation quickly, efficiently, and with minimal attribution in order to either 
manipulate or demoralize a nation and its populace (Andress & Winterfeld, 
2013). Since most people now find news stories online, whether through 
traditional news media sources or via social media sites like Facebook, gov- 
ernments can leverage this as a resource to engage in campaigns of misinfor- 
mation or disinformation. 

For instance, there is substantial evidence that the Russian government oper- 
ates a “troll factory” out of St. Petersburg where individuals are paid to actively 
create and spread false information, whether through social media posts, com- 
ments in news stories and videos posted on traditional journalistic outlets, or 


via websites created by the trolls themselves (see Box 11.8 for detail, Keneally, 


Cyberwarfare and Information Operations Online 


Box 11.8 Inside the Russian Troll Organization 


The Agency 


https://www.nytimes.com/2015/06/07/magazine/the-agency.html 


One Russian newspaper put the number of employees at 400, with 
a budget of at least 20 million rubles (roughly $400,000) a month. 
During her time in the organization, there were many departments 
creating content for every popular social network. 


This article exposes the existence and operation of “The Agency,” wherein 
a group of people are paid to engage as professional online trolls for the 
benefit of the Russian government. The depth of their efforts is unpar- 
alleled and affects various nations in ways that no one could necessarily 
appreciate on the surface. This is required reading to understand the depth 
of the Russian information warfare apparatus. 


2017). The individuals engaged in this effort are referred to as trolls as a histor- 
ical reference to individuals who actively seek fights and cause trouble in online 
platforms. They also operate covertly through false online profiles that attempt 
to make the user seem like a citizen of a specific place and a true believer in 
a specific ideology in order to make their arguments more compelling and 
believable to others (Helmus et al., 2018; Timberg, 2016). In turn, trolls seek 
to turn average people against their governments or against their fellow citizens 
in order to sew mistrust and discontent and challenge the ability of a nation to 
be effectively led. 

The Russian troll brigade is thought to have actively engaged in a long 
campaign of misinformation to interfere in the 2016 US presidential election. 
Throughout the election, there were various news stories and websites designed 
to spread deliberately false information about the Democratic candidate Hillary 
Clinton to diminish the perception she was fit to serve. These stories quickly 
took on the moniker of fake news in an attempt to delineate their fictitious 
nature and differentiate it from news from traditional news stories (Higgins, 
2016). For instance, stories were posted on fake websites and social media 
claiming that Hillary Clinton promised to give amnesty to all undocumented 
immigrants who could prove they voted Democrat in the election (Rogers & 
Bromwich, 2016). 
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The generation of fake news was furthered in part by the actions of Russian 
nation-state sponsored hacker groups who used a phishing scheme to gain access 
to the email accounts used by members of the Democratic National Committee 
and the Clinton campaign (Pegues, 2018). This effort was successful and led 
hackers to gain access to a trove of emails containing both banal and sensitive 
information related to both the campaign and then-candidate Clinton’s activities 
(Pegues, 2018). These messages were slowly released via the websites DCLeaks 
and WikiLeaks beginning in June 2016 and continuing through November in 
the run-up to the election in order to negatively affect the public’s view of her 
ability to the do the job (Morning Edition, 2019). 

These steady but slow and small releases of information, coupled with fake 
news stories that went viral on various social media platforms, had a deleterious 
effect on a portion of the voting public’s views. The insidious nature of these 
interactions cannot be understated and have had lasting impacts on more than 
just the candidates. For instance, a staffer on the Clinton campaign named Seth 
Rich was murdered during what appeared to be a failed street robbery on July 
10, 2016 shortly after the first releases of emails from the hack (Kroll, 2020). 
Three days after his death, whatdoesitmean.com posted a claim that he was 
killed by assassins working on behalf of the Clintons to keep him from talking 
to the FBI about their corrupt practices. An intelligence brief was published on 
the same day giving the same basic details by the Russian SVR, the equivalent 
of the US CIA (Morning Edition, 2019). The concordance of these events sug- 
gests that the story was a plant by Russian intelligence services, but it gained 
extreme attention on social media and mainstream press, particularly Fox News 
opinion shows (Kroll, 2020). The story has been debunked in various outlets, 
though it continues to circulate and has caused dramatic harm for his surviving 
family members (Kroll, 2020). 


For more on the involvement of Russian state sponsored hack- 
ers in disinformation campaigns during the 2016 election, go 


online to: 


1. https://www.theguardian.com/technology/2016/jul/26/dnc-email- 
leak-russian-hack-guccifer-2 

2. https://time.com/4600177/election-hack-russia-hillary-clinton-donald- 
trump/ 

3. https://tume.com/5168104/mueller-indictment-russia-troll-factory-help/ 
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Box 11.9 The Role of Russian Hacking in 
Climategate? 


Seven Years before Russia Hacked the Election, Someone 
Did the Same Thing to Climate Scientists 


https://www.motherjones.com/politics/2017/12/climategate-wikileaks- 


russia-trump-hacking/ 


At the time, some observers openly wondered whether Russia might 
have orchestrated the Climategate hack. Investigators and other experts 
haven’t found much to support that hypothesis—the true culprit 


remains a mystery. 


This article explains that in 2008, a university research group examining 
climate change had their email accounts hacked. The information released 
in that hack eventually led to a wide focus on discrediting the science 
behind climate change, due in part to the ways that the scientists referred 
to their work. Years afterward, analyses suggest that these leaks link back 
to Russian actors, though the exact reason for such an incident remains the 
subject of speculation. The fact that the release of private emails and the 
ensuing disinformation campaigns they produced highlight the utility of 


disinformation in order to advance a cause. 


Though this was the first demonstrated instance of a coordinated nation- 
state-backed attempt to influence political outcomes in the United States, there 
is evidence that Russia has had a long involvement in disinformation to affect 
public opinion (see Box 11.9 for detail). The troll brigade has engaged in a 
long-standing campaign to destabilize European political order to increase Rus- 
sian power within the region (Helmus et al., 2018; Higgins, 2016). There have 
been repeated attempts to influence German voters’ views, as well as the pop- 
ulation of Finland that directly borders Russia. They have also attempted to 
whitewash and legitimize the Russian invasion of the Ukraine via fake news, 
propaganda, and trolling (Helmus et al., 2018). 

The persistence and prevalence of false news stories, conspiracy theories, and 
misleading comments online led the European Union (EV) to create a special- 


ized task force designed with the express purpose of identifying the Russian 


campaign’s strategies and exposing them to the public (Trans European Policy 
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Studies Association (TEPSA), 2016). The EEAS East StratCom Task Force 
was created in March 2015 by the European Council to provide information to 
the EU and its member states on the extent of Russian disinformation cam- 
paigns. They publish the Disinformation Review every Thursday to show 
the latest examples and trends in Russian trolling, as well as daily updates on the 
practices of Russian media broadly (TEPSA, 2016). 


For more information, go online to: https://euvsdisinfo.eu/disinfo- 


review/ 


The use of disinformation is not limited only to Russia, as many other nations 
have found success in the use of social media and online news in order to affect 
public opinion (see Box 11.10 for detail). Recent evidence from Facebook and 
Instagram noted that both French and Russian disinformation campaigns have 


Box 11.10 How Nations are Using Disinformation 
to Their Benefit 


Are China and Iran Meddling in US Elections? It’s 
Complicated 


https://www.vox.com/21418513/china-iran-us-election-meddling-russias 


“T would expect each country to follow a different playbook, just because 
they have different approaches to foreign policy,” Darrell M. West, vice 
president and director of Governance Studies at the Brookings Insti- 
tution, told me. “And China and Iran already know that everybody’s 
watching how Russia does it. I don’t think they just want to repeat that.” 


This article highlights the ways that China and Iran are adapting disinfor- 
mation and persuasion campaigns to online spaces in ways that suit their 
needs. The writer notes that Russia has a very specific strategy for affecting 
foreign policy, though it is not necessarily useful for all nations to employ 
in the same way. This article highlights the ways that China’s strategy will 


differ in a global context and how it will work to their greater benefit. 
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been active on their platforms targeting multiple African nations beginning in 2019 
(Timberg & Dwoskin, 2020). These efforts appear targeted toward affecting elec- 
tion outcomes in the Central African Republic as well as the surrounding nations 
on the continent. Similarly, China has been engaged in a persistent campaign of 
targeted misinformation in Hong Kong due to their attempts to democratize and 
separate from China (Goh, 2019). They also attempted to affect presidential elec- 
tions in Taiwan in the hopes of installing a pro-China candidate (Kirby, 2020). 
These developments demonstrate that information warfare is a real, powerful, 
insidious, and ultimately challenging form of cyberwarfare for any nation to defeat. 


Securing Cyberspace from the Threat of Cyberwar 


The threats posed by cyberwarfare efforts requires us to understand the scope of 
military and government organizations tasked with defending national resources 
and engaging in proactive offensive efforts against other governments. Since 
many of their activities may be classified, it is difficult to know exactly what 
organizations involved in this space may do or how they are truly structured. 
Thus, this section will provide an overview of the publicly acknowledged organ- 
izations involved in offensive and defensive actions in cyberspace. Additionally, 
this section will largely focus on the military agencies involved in protecting 
cyberspace from nation-state targets. A limited discussion of the federal civilian 
organizations will be presented to avoid redundancy, as the role of agencies like 
DHS in protecting critical infrastructure from attack from terrorists and nation- 
states alike is discussed in Chapter 10. 

Given the substantial risks presented by the loss of electrical power to civil- 
ian and military infrastructure in the event of a cyberattack, the US Depart- 
ment of Energy (DOE) plays a critical role in the maintenance and protection 
of energy programs and production generally. Most nations’ power grids are 
heavily dependent on the Internet and computer technology for operation and 
management, making them susceptible to compromise (Department of Energy, 
2020). Thus, the DOE operates the Office of Intelligence and Counterin- 
telligence in order to generate intelligence on various threats to our energy 
infrastructure, as well as those of foreign governments and nations. The DOE 
also operates an Incident Management Program, coordinated with US-CERT 
(Computer Emergency Response Team, see Chapter 2), to respond to various 
cyberthreats (DOE, 2021). This includes reporting incidents, generating secu- 
rity bulletins for vulnerabilities in various desktop and SCADA systems, as well 


as incident response management and tracking (DOE, 2021). 


439 


Cyberwarfare and Information Operations Online 


440 


Additionally, the newly formed DOE Office of Cybersecurity, Energy 
Security, and Emergency Response (CESER) is designed to improve the 
overall response to the security of the nation’s overall energy infrastructure by 
creating a coordinated hub for responses to both natural disasters and human- 
driven attacks (Office of Cybersecurity, Energy Security, and Emergency 
Response, 2021). One of the key elements of this office is the Cybersecurity for 
Energy Delivery Systems (CEDS) Division, which provides support for research 
and development of tools to increase the resiliency of the energy infrastructure 
of the country. This includes a focus on strengthening the capabilities of the 
various public and private energy providers to share information on cyber- 
threats, and enhance their ability to engage in incident responses in the event of 
an attack (Office of Cybersecurity, Energy Security, and Emergency Response, 
2021). They even hold the CyberForce Competition, wherein college students 
engage in the simulated attack and defense of a simulated energy infrastructure, 
while also trying to maintain the usability of the infrastructure for simulated 
customers (DOE, 2020). 

Though law enforcement has general oversight over cybercrimes and inci- 
dents of terror, the military has exclusive response to acts that might be defined 
as cyberwar, such as attempts to compromise DoD networks or those of related 
defense contractors. To that end, the Pentagon established the US Cyber 
Command (USCYBERCOM) in 2009 in order to manage the defense of 
US cyberspace and critical infrastructure against attacks (Andress & Winterfeld, 
2013). It was initially located under the US Strategic Command until 2018 
when it became its own full and independent Command body (US Cyber 
Command, 2021). All four arms of the US military (Army, Navy, Air Force, 
Marines) are represented on what are called Joint services within the Command. 
Its focus is on DoD networks only, while all civilian aspects of cyberspace are 
managed by the DHS. 

The Command has a primary responsibility to centralize and coordinate 
the defensive and offensive efforts of the information security space for the 
Department of Defense in all areas. In fact, there are four separate teams within 
USCYBERCOM for (1) general network defense, (2) tailored priority threat 
defense for specific aspects of the DoD infrastructure, (3) offensive attacks, and 
(4) mission support for offensive and defensive teams via analysis and planning 
(US Cyber Command, 2021). USCYBERCOM also operates the Technical 
Outreach division, which acts as an engagement arm for the Department of 
Defense to industry and researchers working in the field of cybersecurity and 
workforce development. They attempt to develop resources to improve the 
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capabilities of warfighters in both attack and defensive operations (US Cyber 
Command, 2021). Additionally, USCYBERCOM cooperates in the X-Force 
program, which provides internships and fellowships for undergraduate and 
graduate students to participate in projects related to cybersecurity and work- 
force development (US Cyber Command, 2021). 

The Department of Defense also operates the DC3, or Department of 
Defense Cyber Crime Center, which is focused on handling digital and 
media forensic analyses, as well as training and technical development for var- 
ious elements of the government and defense industry. Specifically, the Cyber 
Forensics Laboratory (CFL) performs various forms of forensic analysis for mate- 
rials identified in the field on both hardware and software, as well as on sensitive 
networks (DC3, 2021). The Cyber Training Academy also operates to produce 
training for various arms of the DoD in forensic seizure and analysis, as well 
as network attack and defense. The Technical Solutions Development team 
produces new software and hardware for the military and defense contractors as 
needed to help better engage in threat identification and response (DC3, 2021). 

The Vulnerability Disclosure Program (VDP) also operates within the DC3 
as a means to identify vulnerabilities within the DoD infrastructure and increase 
its resiliency to various attacks. Finally, the Center houses the Defense Industrial 
Base Collaborative Information Sharing Environment (DCISE), which provides 
security and training for various defense contractors to improve the security of 
intellectual property moving between private industry and military or govern- 
ment systems (DC3, 2021). This is a critical aspect of cybersecurity to help shore 
up the defense of potential vulnerabilities in the connection between govern- 
ment, military, and industry networks. 

In addition to the DoD, the NSA plays a critical role in the protection 
and investigation of attacks against sensitive military networks (NSA, 2021). 
The NSA serves as a key resource in both data encryption and protection of 
nearly all federal government computer networks. They also investigate attacks 
against computer networks from nation-state and non-nation-state actors alike 
(NSA, 2021). Finally, they play a critical role in intelligence gathering of for- 
eign nations’ cyber infrastructure in order to map vulnerabilities and develop 
offensive cyber strategies (see Box 11.11 for examples of tools developed by the 
NSA). The NSA combines agents with skills in computer science, engineering, 
mathematics, and linguistics in order to better investigate various issues related 
to cybersecurity threats. Similar agencies are present in various nations, such 


as Australia’s Defence Signals Directorate (DSD), Canada’s Communications 


Security Establishment (CSE), New Zealand’s Government Communications 
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Box 11.11 The Tools Created by the NSA for 
Espionage and Attack 


Everything We Know of NSA and Five Eyes Malware 


https://medium.com/@botherder/everything-we-know-of-nsa-and- 
five-eyes-malware-e8eac172d3b5#.cw0vpzc84 


After years of publications, and even a massive commercial specu- 
lation... it comes to no surprise that Western governments are also 
engaged in malware attacks. However, we still know very little on 
their capabilities and sophistication. 


This article provides an overview of all the malware and tools that were dis- 
closed by Edward Snowden in the large dump of NSA documents he made 
available to reporters. This analysis details myriad programs used for both 
active surveillance and cyberattacks. The scope of tools and the systems 
they compromise is extremely surprising and demonstrates the technical 
sophistication of some of the programs used to various ends in the wild. 


Security Bureau (GCSB), and the UK’s Government Communications Head- 
quarters (GCHQ; see Andress & Winterfeld, 2013). 

The development of USCYBERCOM emerged around the same time as 
those of other similar command infrastructures across the world. Most countries 
across the globe now have some units within their military or national defense 
forces that engage in practical network defense (Lancelot, 2020). The extent to 
which nations engage in offensive cyberattacks is variable, with different degrees 
of publicly accessible information on their operations. For instance, Australia 
established the Cyber Security Operations Centre (CSOC) in 2009 as a coor- 
dinated response for cyberattacks against government systems. Canada and the 
United Kingdom have established similar agencies in order to help defend 
against attacks (Andress & Winterfeld, 2013). 

Cyberwarfare operations units have spread across Asia as well, though with 
varied composition by nation. For instance, the Chinese government has 
established both offensive and defensive military organizations housed within 
so-called Information Warfare Militia Units, Technical Reconnaissance Bureaus 
(TRB), and the GSD (Andress & Winterfeld, 2013). At the same time, these 
forces may be augmented by the larger population of active hackers operating 
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within the bounds of the nation with or without state sponsorship. India also 
recently formed the Defense Cyber Agency within its military with the respon- 
sibility of engaging in largely defensive measures of the nation’s infrastructure. 
Japan, Singapore, South Korea, Sri Lanka, and Vietnam also have cyberwarfare 
capabilities. In addition, North Korea has engaged in far more overt offen- 
sive operations against nations around the world (Andress & Winterfeld, 2013). 
Incidents like the Sony Pictures Entertainment hack, if truly performed by 
North Korea, would suggest they have substantive capabilities that must not be 
taken lightly. 

The Russian government also has cyberwarfare capabilities that are housed 
within the Federal Security Service of the Russian Federation, the Federal Guard 
Service, and the General Staff (Andress & Winterfeld, 2013). Various nations 
in the EU have also formed offensive and defensive cyberwarfare units. For 
instance, France, Germany, Italy, the Netherlands, Poland, Portugal, Romania, 
and Spain have resources within their national defense forces and military. Sim- 
ilarly, the North Atlantic Treaty Organization (NATO), which formed 
in the wake of World War II to provide a joint operational military alliance for 
the United States and Europe, has become increasingly involved in cyberwar- 
fare (NATO, 2021). The organization has focused heavily on cyber defense for 
its networks and that of the broader alliance countries, particularly across the 
EU. Additionally, NATO has formed the Cooperative Cyber Defense Centre 
of Excellence in Tallinn, Estonia as a resource to train member nations in var- 
ious aspects of cyberwarfare and improve the overall intelligence sharing and 
resilience of is networks (NATO, 2021). Member nations also engage in yearly 
cyberwar games as a means of testing their readiness for various attacks and 
improve their capacity to engage in active defensive and offensive tactics. 


Summary 


This chapter demonstrates the complex and very real threat that is posed by 
acts of cyberwarfare, and the inherent challenges in defending networks from 
nation-state sponsored attacks. These threats require a sophisticated response 
incorporating civilian and military entities to be effective against compromise. 
The fact that nation-states can also twist the information-driven nature of 
the online communications to their advantage also complicates the process of 
active defense. This issue will continue to evolve along with technology adop- 


tion and social media platform use across the globe. It is, however, clear that 


cyberwarfare incidents will increase in the coming years. 
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Key Terms 


Abstract organization 

Advanced Persistent Threat (APT) 
Attribution 

Computer network attack (CNA) 

Computer network defense (CND) 
Computer network exploitation (CNE) 
Cyberwar 

Department of Defense Cyber Crime Center 
Department of Energy (DOE) 

Department of Homeland Security Cybersecurity and 
Infrastructure Agency (CISA) 
Disinformation 

Disinformation Review 

EEAS East StratCom Task Force 
EINSTEIN 

EternalBlue 

Exploit 

Fake news 

Geneva Convention 

Guardians of Peace 

Information warfare 

Israeli Defense Force 

Jus ad bellum 

Jus in bello 

Kinetic weapons 

Nation-state 

National Security Agency (NSA) 

North Atlantic Treaty Organization (NATO) 
NotPetya 

Office of Cybersecurity, Energy Security, and Emergency Response 
Operation Olympic Games 

People’s Liberation Army of China (PLA) 
The Shadow Brokers 

Sony Pictures Headquarters 
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Sovereignty 

Stuxnet 

Supervisory control and data acquisition (SCADA) 
Tallinn Manual 

Territoriality 

Troll 

US Cyber Command (USCYBERCOM) 
US Office of Personnel Management (OPM) 
Vulnerability 

Vulnerabilities Equity Process (VEP) 
WannaCry 


Discussion Questions 


1. Do you think it is acceptable for nations to reserve the right to report 
critical vulnerabilities to the public? How do you weigh the risks of harm 
relative to the benefits of using them in a potential attack scenario? 

2. What real-world events, whether political, military, or social, could trig- 
ger a cyberattack? 

3. Why do you think incidents like the Sony Pictures Hack or the Russian 
trolling operations do not lead to more substantial policy responses from 
the United States? Is it too difficult to find an appropriate response? What 
do you think would be acceptable? 

4. The threat of nuclear war and the proliferation of weapons of mass 
destruction (WMD) is deterred in part by the idea of mutually assured 
destruction, not only for the two nations but for the larger world. Given 
that nearly every nation has economic and critical infrastructure depend- 
ent on technology, if a nation-state were to engage in cyberwar against a 
rival, it would demand a physical or cyber response. With that in mind, 
how can nation-states deter the use of cyberattacks against one another? 
How do we respond to attacks committed by hackers or nation-states 


who are not influenced by traditional deterrence methods? 


445 


Cyberwarfare and Information Operations Online 


446 


References 


Andress, J., & Winterfeld, S. (2013). Cyber warfare: Techniques, tactics, and tools 
for security practitioners (2nd ed.). Syngress. 

BBC. (2019, June 23). US ‘launched cyber-attack on Iran weapons systems’. 
BBC. https://www.bbc.com/news/world-us-canada-48735097 

Brenner, S. W. (2008). Cyberthreats: The emerging fault lines of the nation state. 
Oxford University Press. 

Brodscky, J., & Radvanovsky, R. (2010). Control systems security. In T. J. 
Holt & B. Schell (Eds.), Corporate hacking and technology-driven crime: Social 
dynamics and implications (pp. 187-204). IGI-Global. 

CISA. (n.d.). Securing Federal Networks: EINSTEIN. https://www.cisa.gov/ 
einstein 

Clayton, M. (2010, September 21). Stuxnet malware is “weapon” out to 
destroy ... Iran’s Bushehr Nuclear Plant. Christian Science Monitor. www. 
csmonitor.com/USA/2010/0921 /Stuxnet-malware-is-weapon-out-to- 
destroy-Iran-sBushehr-nuclear-plant 

Clover, C. (2009, March 11). Kremlin-backed group behind Estonia cyber 
blitz. Financial Times. 

Creveld, M. V. (1999). The rise and decline of the state. Cambridge University Press. 

Davis, J. (2007, September). Web war one. Wired (pp. 162-169). 

DC3. (2021). Department of Defense Cyber Crime Center (DC3). https://www. 
dc3.mil/ 

Denning, D. E. (2010). Cyber-conflict as an emergent social problem. In T. 
J. Holt & B. Schell (Eds.), Corporate hacking and technology-driven crime: Social 
dynamics and implications (pp. 170-186). IGI-Global. 

Department of Energy. (2020). Cybersecurity. https:// www.energy.gov/ 
national-security-safety/cybersecurity 

Department of Energy. (2021). Industrial control systems. https://us-cert.cisa. 
gov/ics 

Fruhlinger, J. (2020, February 12). The OPM hack explained: Bad security 
practices meet China’s Captain America. CSO Magazine. https://www. 
csoonline.com/article/3318238/the-opm-hack-explained-bad-security- 
practices-meet-chinas-captain-america.html 

Goh, B. (2019, August 22). ‘All the forces’: China’s global social media push 
over Hong Kong protests. Reuters. https://www.reuters.com/article/us- 
hongkong-protests-china-socialmedia/all-the-forces-chinas-global-social- 
media-push-over-hong-kong-protests-idUSKCN1VCONF 


Cyberwarfare and Information Operations Online 


Greenberg, A. (2018, August 22). The untold story of NotPetya, the most 
devastating cyberattack in history. Wired. https://www.wired.com/story/ 
notpetya-cyberattack-ukraine-russia-code-crashed-the-world/ 

Guadagno, R. E., Cialdini, R. B., & Evron, G. (2010). Storming the servers: 
A social psychological analysis of the first internet war. Cyberpsychology, 
Behavior, and Social Networks, 13, 447-453. 

Helmus, T. C., et al. (2018). Russian social media influence: Understanding 
Russian propaganda in Eastern Europe. Rand Corporation. https://www.rand. 
org/content/dam/rand/pubs/research_reports/RR2200/RR2237/RAND_ 
RR2237.pdf 

Herpig, S., & Schwartz, A. (2019, January 4). The future of vulnerabilities 
equities processes around the world. Lawfare. https://www.lawfareblog. 
com/future-vulnerabilities-equities-processes-around-world 

Higgins, A. (2016, May 30). Efforts to expose Russia’s “Troll Army’ draws 
vicious retaliation. New York Times. https://www.nytimes.com/2016/05/ 
31/world/europe/russia-finland-nato-trolls.html 

Jaffe, G. (2006, June 15). Gates urges NATO ministers to defend against 
cyber attacks. The Wall Street Journal Online. http://online.wsj.com/article/ 
SB118190166163536578.html 

Keneally, M. (2017, June 6). How Russia used trolls, cyberattacks, and propaganda 
to try to influence election. ABC News. http://abcnews.go.com/Politics/ 
russia-trolls-cyberattacks-propaganda-influence-election/story?id=44610568 

Kerr, P. K., Rollins, J., & Theohary, C. A. (2010). The Stuxnet computer worm: 
Harbinger of an emerging warfare capability. Congressional Research Service. 

Kirby, J. (2020, January 12). Taiwanese President Tsai Ing-wen, an opponent 
of Beijing, has won reelection. VOX. https://www.vox.com/world/2020/ 
1/10/21060135/taiwan-election-hong-kong-china-tsai-han 

Kroll, A. (2020, November 23). Seth rich’s parents settle their blockbuster 
lawsuit against Fox News. Rolling Stone. https://www.rollingstone.com/ 
politics/politics-news/seth-rich-wikileaks-fox-news-sean-hannity-donald- 
trump-russia-1094896/ 

Lancelot, J. F. (2020). Cyber-diplomacy: Cyberwarfare and the rules of 
engagement. Journal of Cyber Security Technology, 4, 240-254. 

Landler, M., & Markoff, J. (2007, May 29). Digital fears emerge after data 
siege in Estonia. The New York Times. 

Mandiant. (2013). APT1: Exposing one of China’s cyber espionage units. 
https://www.mandiant.com/resources/apt1-exposing-one-of-chinas- 


cyber-espionage-units 


447 


Cyberwarfare and Information Operations Online 


448 


Morning Edition. (2019, July 11). The origins of the Seth Rich conspiracy 
theory. NPR. https://www.npr.org/2019/07/11/740608323/the-origins- 
of-the-seth-rich-conspiracy-theory 

National Security Agency. (2021). Mission statement. www.nsa.gov/about/ 
mission/index.shtml 

Newman, L. H. (2019, May 6). What Israel’s strike on Hamas hackers means 
for cyberwar. Wired. https://www.wired.com/story/israel-hamas-cyberattack- 
air-strike-cyberwar/ 

North Atlantic Treaty Organization. (2021, July 2). Cyber defence. https:// 
www.nato.int/cps/en/natohq/topics_78170.htm 

Office of Cybersecurity, Energy Security, and Emergency Response. (2021). 
CESER mission. Department of Energy, CESER. https://www.energy.gov/ 
ceser/ceser-mission 

Pegues, J. (2018). Kompromat: How Russia undermined American democracy. 
Prometheus. 

Perlroth, N., & Shane, S. (2019, May 25). In Baltimore and beyond, a stolen, 
NSA tool wreaks havoc. The New York Times. https://www.nytimes.com/ 
2019/05/25/us/nsa-hacking-tool-baltimore.html 

Rid, T. (2013). Cyber war will not take place. Hurst and Company. 

Robb, D. (2014, December 22). Sony hack: A timeline. Deadline. http:// 
deadline.com/2014/12/sony-hack-timeline-any-pascal-the-interview- 
north-korea-1201325501/ 

Rogers, K., & Bromwich, J. E. (2016, November 8). The Hoaxes, fake news 
and misinformation we saw on election day. The New York Times. https:// 
www.nytimes.com/2016/11/09/us/politics/debunk-fake-news-election- 
day. html 

Sang-Hung, C., & Markoff, J. (2009, July 9). Cyberattacks jam government 
and commercial web sites in the US and South Korea. New York Times. 
https://www.nytimes.com/2009/07/10/technology/10cyber.html 

Sanger, D. E. (2012). Confront and conceal: Obama’s secret wars and surprising use 
of American power. Crown Publishing. 

Sanger, D. E., & Perlroth, N. (2019, June 16). Trump administration escalates 
cyber-attacks on Russian power grid as warning to Putin. The Independent. 
https://www.independent.co.uk/news/world/americas/us-politics/ 
us-russia-cy ber-attacks-trump-power-grid-putin-kremlin-a8960681 .html 

Schneier, B. (2017, May 23). Who are the shadow brokers? The Atlantic. 
https://www.theatlantic.com/technology/archive/2017/05/shadow- 
brokers/527778/ 


Cyberwarfare and Information Operations Online 


Schwartau, W. (1996). Information warfare (2nd ed.). Thunder’s Mouth Press. 

Taylor, P. (2001). Hackers: Crime and the digital sublime. Routledge. 

Timberg, C. (2016). Russian propaganda effort helped spread “fake news” 
during election, experts say. Washington Post.https://www.washingtonpost. 
com/business/economy/russian-propaganda-effort-helped-spread-fake- 
news-during-election-experts-say/2016/11/24/793903b6-8a40-4ca9-b7 12- 
716af66098fe_story. html 

Timberg, C., & Dwoskin, E. (2020, December 16). People associated with 
French military used Facebook to meddle in Africa. Washington Post. https:// 
www.washingtonpost.com/technology/2020/12/15/people-affiliated-with- 
french-military-used-facebook-meddle-africa/ 

Trans European Policy Studies Association (TEPSA). (2016). EEAS’s East 
StratCom Task Force publishes two weekly newsletters. http://www.tepsa.eu/ 
eeass-east-stratcom-task-force-publishes-two-weekly-newsletter/ 

US Cyber Command. (2021). Mission and vision. https://www.cybercom.mil/ 
About/Mission-and-Vision/ 

Volz, D. (2016, December 21). Russian hackers tracked Ukrainian artillery 
units using android implant: Report. Reuters. https://www.reuters.com/ 
article/us-cyber-ukraine/russian-hackers-tracked-ukrainian-artillery-units- 
using-android-implant-report-idUSKBN14BO0CU 

Weaver, M., and agencies. (2009, July 8). Cyber attackers target South Korea 
and US. The Guardian. https://www.theguardian.com/world/2009/jul/08/ 
south-korea-cyber-attack 

Zetter, K. (2011, July 26). DHS fears a modified Stuxnet could attack US 
infrastructure. Wired Threat Level. www.wired.com/threatlevel/2011/07/ 
dhs-fears-stuxnet-attacks/ 

Zetter, K. (2016, February 12). Evidence suggests the Sony hackers are alive 
and well and still hacking. Wired. https://www.wired.com/2016/02/ 


evidence-suggests-the-sony-hackers-are-alive-and-well-and-still-hacking/ 


449 


Chapter 


ILLICIT MARKET 
OPERATIONS 
ONLINE 


Illicit Market Operations Online 


452 


Chapter Goals 


e Define and differentiate open and closed markets in both physical and 
cyberspace 

e Discuss the transitions in online market operations from bulletin 
board systems (BBS) to Internet Relay Chat (IRC) to forums and the 
Dark Web 

© Recognize the process of selling and purchasing goods and services 
from vendors advertising physical and digital goods through online 
advertisements 

e Identify the differences between forums, shops, and cryptomarkets 

e Understand the myths regarding illicit services advertised on the 
Dark Web 


Introduction 


In February, 2021, a Wisconsin mother of four named Kelly Harper was arrested 
by FBI agents after attempting to hire hitmen to kill a man (Rickert, 2021). The 
intended victim was notified of the plot by journalists after they uncovered the 
plot, who then contacted the FBI. The journalists involved in this case were not 
attempting to uncover a shadowy network of hitmen operating in their local 
area (Rickert, 2021). Instead, they were doing research on the practices of Dark 
Web vendors and were interviewing an individual who claimed to run a hitman 
site. The operator provided the journalists with chat logs, including an exchange 
between themselves and an individual who paid them $5,633 in Bitcoin, a cryp- 
tocurrency, to kill the unnamed victim (Rickert, 2021). The reporters involved 
received substantial details about the victim, including a physical description, 
his phone number, address, workplace, and information about their car. They 
were also able to deduce the person who paid for the services was Kelly Harper, 
which led them to contact law enforcement. 

Events like these demonstrate the scope of illicit market operations occur- 
ring every day in online spaces. As noted in Chapter 5, the Internet has created 
unparalleled opportunities for commerce, whether between major corporations 
or retail establishments. The same is true for small businesses and individuals 
who make and sell various goods. Websites like eBay, Craigslist, and even Face- 
book Marketplace also allow individuals to sell used or new items to others both 


locally and globally. 
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Criminals have seized upon the communications, finance, and retail tools 
made available to the public in online spaces to create a parallel economy, trad- 
ing goods, and services in ways that mirror legitimate business practices (Barratt, 
2012; Holt et al., 2016; Martin, 2014). As explained in prior chapters, there 
is now an entire cybercrime-as-service economy operating online for hacking 
tools and personal data. It should also come as no surprise that goods and ser- 
vices formerly offered only in physical spaces, like narcotics and paid sex work, 
are now available in online spaces on both the Open and Dark Web. 

There are multiple questions as to how these economies can coexist and 
the extent to which they intersect with offline illicit markets. In addition, it is 
essential to ask whether services like contract killing and other serious crimes 
actually advertise online and why. This chapter attempts to address these ques- 
tions through an assessment of the existing body of research on both offline 
and online criminal markets. In turn, readers will be able to identify both 
the realities and myths that perpetuate regarding criminal goods and services 
online and better understand the challenges they present for law enforcement 


and policy makers. 


Differentiating Physical and Virtual Markets 


Criminologists and sociologists have long examined the ways that individu- 
als engage in the sale of illicit goods, whether in illicit sex work (e.g., Scott 
& Dedel, 2006; Weitzer, 2012), firearms (Cook et al., 2009; Kennedy et al., 
1996), the resale of stolen goods (Klockars, 1974; Schneider, 2005; Wright & 
Decker, 1994), and all manner of illegal drugs (Jacobs, 2000; May & Hough, 
2004; Turnbull, 2002). Scholars have also considered differences in the practices 
of vendors on the basis of their role as street-level dealers to those in middle tiers 
of distribution (Adler, 1993; Jacobs, 2000; Potter, 2009). 

Researchers have also noted the unique structures illicit market operations 
can take in physical spaces. Many simple forms of transactional crime occur 
in public venues, including street corners and alleys as with drug sales (Jacobs, 
1996, 2000; Johnson et al., 2000; Johnson & Natarajan, 1995; Knowles, 1999; 
Topalli et al., 2002; VanNostrand & Tewksbury, 1999) and prostitution (Holt 
et al., 2014; Scott & Dedel 2006; Weitzer, 2012). Such activities enable buy- 
ers to gain access to vendors with no necessary introductions or immediate 
restrictions on behavior. When customers and vendors interact in such environ- 


ments, they may be referred to as open markets (Eck, 1995; May & Hough, 


2004). Such activities are highly risky for both buyer and seller, as their actions 
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may be observed by law enforcement, as well as other criminals who target par- 
ticipants for drugs, guns, or money (Jacobs, 1996, 2010). 

Participants within open markets can take various steps to reduce their risk 
of detection and minimize negative sanctions stemming from arrest or infor- 
mal threats like robbery by other criminals (Cross, 2000; Jacobs, 1996, 2000; 
Johnson et al., 2000; Johnson & Natarajan, 1995; Knowles, 1999; Topalli et al., 
2002; VanNostrand & Tewksbury, 1999). For instance, drug dealers may hide 
small quantities of product in their mouths so as to quickly swallow it if they are 
detected by police (Jacobs, 1996. This reduces their likelihood of drugs being 
confiscated if they are patted down and minimize any criminal penalties if they 
are arrested for dealing (Jacobs, 1996). 

The risks participants face from police efforts and other criminal actors have 
led to the formation of what some refer to as closed markets, where transactions 
only occur between known, trusted participants (Johnson et al., 2000; May & 
Hough, 2004). This phrasing recognizes that participants restrict access to goods 
and services on the basis of some sort of social vetting by others. Closed markets 
may operate behind closed doors, as with crack houses or other residence-based 
markets, though they may also operate in public spaces with efforts taken to 
hide their overt illicit activities (Hamid, 1998; Johnson et al., 2000; May & 
Hough, 2004). There are distinct benefits to closed markets, in which partici- 
pants assume less risk from outsiders. At the same time, they reduce opportuni- 
ties for vendors to engage in spontaneous transactions with strangers, which may 
increase their overall market share (May & Hough, 2004). These conditions also 
limit opportunities for customers in the event of problems with sellers or their 
products over time. 

Regardless of structure, the participants in illicit markets face some degree 
of risk from formal and informal sources. To help assess risk and gage the legiti- 
macy of participants, actors in open and closed markets can also use both verbal 
and nonverbal cues to determine whether it is safe to engage in a transaction 
with that person (Jacobs, 1996, 2000; Johnson & Natarajan, 1995). For instance, 
individuals who are unable to correctly use any slang terms to refer to a product 
may be viewed as an outsider who cannot be trusted (Jacobs, 1996; Johnson & 
Natarajan, 1995). Individuals who also attempt to buy large quantities of drugs 
or pay in unusual denominations may also appear too risky to sell product to, 
even if they are regular clients (Jacobs, 1996; Knowles, 1999). 

Comparing these dynamics to the behaviors of participants in virtual mar- 
kets, one may assume that they are completely different. For instance, virtually 
all participants in online markets can operate with greater anonymity than in 
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physical spaces (Barratt, 2012; Holt & Dupont, 2019). The ability to operate in 
a faceless, nameless environment that is difficult to monitor makes it difficult 
for participants to be tied to their real identities (Barratt, 2012; Décary-Hétu & 
Giommoni, 2017; Tzanetakis et al., 2015). Individuals can also use tools to hide 
their physical location as revealed by their IP address details through the use of 
virtual private networks (VPNs), proxy servers, or other anonymization tools 
like Tor (Holt et al., 2016; Smirnova & Holt, 2017). 

Additionally, the process of making purchases in virtual markets is very dif- 
ferent from that of physical markets. Sellers are limited in how they connect 
with vendors, as they must make contact through electronic means like forum 
posts, email, or chat-based applications (Barratt, 2012; Dupont et al., 2017; 
Hutchings & Holt, 2015). They must state in writing what quantities of prod- 
uct they want, and negotiate prices through these mediums (Holt & Lampke, 
2010; Tzanetakis et al., 2015). Once a negotiation is completed, buyers must 
then pay the vendor. In physical space, this is usually done via paper currency; 
virtual markets depend on digital currencies to send and receive payments (Holt 
& Dupont, 2019; Moeller et al., 2017). 

Finally, the delivery of goods in online illicit markets is very different from 
what is observed in real-world markets. Upon receipt of payment, vendors 
in online spaces are then expected to provide the goods to the buyer, though 
delivery varies based on the nature of the product (Copeland et al., 2020; Her- 
ley & Floréncio, 2010). Individuals buying credit card numbers, personal infor- 
mation, or other digital items, such as hacking tools, may receive them via a 
direct download or other method of online delivery. Physical goods like drugs 
or guns are typically shipped via physical delivery services like Federal Express, 
UPS, DHL, or various postal services (see Box 12.1; Copeland et al., 2020; 
Décary-Hétu et al., 2016). 

Despite these differences, there are some similarities evident in the practices 
of online market actors. First and foremost, participants in online illicit com- 
munities face risks from law enforcement and criminal actors who may seek to 
harm participants (Décary-Hétu et al., 2016; Holt & Dupont, 2019). The ina- 
bility to use visual cues complicates the process of identifying individuals who 
may be undercover law enforcement, or even cybersecurity researchers posing 
as potential customers. Additionally, unreliable actors who seek to rip off cus- 
tomers by taking their money and sending no product can easily pose as vendors 
in markets (Herley & Floréncio, 2010; Tzanetakis et al., 2015). 


As a consequence, participants in online markets are heavily dependent on 


the use of nonverbal cues to determine the legitimacy of potential actors. Text, 
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Box 12.1 How Drug Dealers’ Use of Shipping 
Services Can Lead to Arrest 


Onetime UI Grad Student Facing Federal Charges of Making, 
Selling Drugs 


https://www.news-gazette.com/news/onetime-ui-grad-student-facing- 
federal-charges-of-making-selling-drugs/article_39502acf-ecbb-56a4- 
afl4-91e876e9ca72.html 


... the government alleges that between September 2016 and this past 
weekend, Caamano was engaged in the production of counterfeit 
Xanax, an often-abused anti-anxiety drug, which he was mailing from 
USS. Postal Service boxes in Champaign to other states, using an Easy- 


Post account. 


This article provides an excellent overview of how an individual selling 
drugs online was arrested, due in part to the detection of drugs as they 
were in transit. Though there is anonymity in online environments, it is 
much harder to remain anonymous when products have to be delivered 
to a physical address. As a result, this is a key point of risk in the process of 


online illicit good sales. 


images, and slang appearing in websites, email, and other forms of online com- 
munications used by vendors and customers are essential when considering the 
validity of an ad, or a customer request (see Figures 12.1 and 12.2; Décary-Hétu 
et al., 2016; Herley & Floréncio, 2010; Tzanetakis et al., 2015). Correct use of 
language and images that are not taken from other websites or online sources 
are all useful to establish an actor’s legitimacy. 

In addition, some markets encourage customers to post reviews of ven- 
dors’ goods and their overall operational practices to identify illegitimate actors. 
Forum communities on both the Open and Dark Web tend to encourage cus- 
tomers to post reviews describing their interactions with vendors on the basis 
of their communications, delivery methods, customer service and other fac- 
tors associated with a transaction (Décary-Hétu & Leppanen, 2015; Holt, 2013; 
Holt & Lampke, 2010). The degree to which vendors also clearly describe their 
goods can also be a sign of their trust and quality, especially regarding malware 
and cybercrime-as-service products since their customers may not have the skills 
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Fig. 12.1 An example of a Dark Web drug site 
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40.00€ 
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provide a dataset (name, age, gender, size etc). We will also need a biometric photo in high quality and signature scanned, we will give 
more instructions after your purchase. 


Fig. 12.2 An example of a Dark Web passport vending site 
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necessary to effectively use their services (Holt & Lampke, 2010; Holt et al., 
2016; Hutchings & Clayton, 2016). In that regard, vendors who offer relia- 
ble customer service lines via instant message, Jabber, and other platforms may 
garner a better overall reputation among customers (Holt & Lampke, 2010; 
Hutchings & Holt, 2015). 

A proportion of markets have also evolved to take on the characteristics of 
closed markets in physical space by changing the ways that individuals can gain 
access to vendors and their goods. While many illicit online markets may oper- 
ate through open websites and forums, a proportion also utilize registration and 
password portal systems (see Holt & Bossler, 2015 for review). These systems 
require individuals to create an account with the site, where they must create 
a profile linking their username to an email account or some other means of 
off-site contact. This process can be easily falsified, enabling law enforcement 
and unscrupulous actors the ability to engage in transactions under a guise of 
legitimacy (Holt & Dupont, 2019). 

As result, there has been some growth in vetted communities operating on 
both the Open and Dark Web. These sites utilize registration systems but also 
require individuals to be socially vetted by members of the community or forum 
operators (Holt et al., 2016). For instance, potential registrants may be asked to 
provide information about their online activities, association with other forums 
and communities, and even name two individuals who may already be members 
who can vouch for their claims (Dupont et al., 2017). 

The use of social vetting may be useful to help minimize the presence of law 
enforcement, though it does not guarantee that participants will not cheat one 
another. For instance, a hacker forum called Darkode operated between 2008 
and 2015 as a high-level market for the most sophisticated actors to buy and 
sell products (Dupont et al., 2017; Holt & Dupont, 2019). It was taken down 
by a multinational law enforcement investigation in 2015 and was referred to 
by US prosecutors as “one of the gravest threats to the integrity of data on 
computers... around the world” (Department of Justice, 2015). For instance, 
members of the forum sold various malware including exploit kits, Trojans, and 
credit card numbers. 

During its first few years of operation, individuals were able to join the forum 
only after being invited by an existing member who knew the individual per- 
sonally. The process changed in late 2012 after several cybersecurity researchers 
and journalists were identified and kicked out of the community (Dupont et al., 
2017). From that point forward, invitations could only come from one of the 


site administrators to help reduce potential external threats. Regardless of the 
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method of invitation, potential members were not given complete access to the 
forum. They would first have to post in a specific new recruit section called 
“fresh fish” where they would have to explain their activities in the cybercrime 
underground, noting what forums they belonged to, their associations to other 
hackers, and identify any distinct skills they may have (Dupont et al., 2017). 
Existing members could then vote on whether the person could be given full 
membership status and participate in the forum. 

The use of social vetting as noted with Darkode is not a perfect solution to 
eliminate the risk of external threats to participants (Dupont et al., 2017; Holt 
& Dupont, 2019). The successes of Darkode participants likely helped draw 
police attention to the community and increase the members’ risk of arrest. 
Another option that some communities take to reduce the likelihood of outsid- 
ers attempting to join is to require members to place a deposit with the site 
operators (Moeller et al., 2017). It is thought that only individuals who want to 
make a purchase would be willing to provide money to a criminal marketplace 
or vendor. Similarly, some sites would hold money in escrow for both buyers 
and sellers to ensure successful transactions (Holt, 2013; Hutchings & Holt, 
2015). These measures should help ensure all participants are interested in doing 
business with one another and are focused on specific business outcomes and 


not simply snooping or monitoring ongoing activities. 


For more information on legal actions against Darkode, go online 


to: https://www.youtube.com/watch?v=tovhoaxQstQ 


Unfortunately for market participants, there is always the possibility that the 
site operators will simply take those deposited funds and shut down their site 
without completing any transactions. Such events are often referred to as exit 
scams and have occurred with some frequency in Dark Web cryptomarkets 
(see Box 12.2 for detail; Schwartz, 2020). It is unclear if the decision to shutter 
a site is a function of untrustworthy actors scamming participants, or a con- 
scious decision to close the operation before the operators could be subject to 
law enforcement investigations (Riley, 2019). Regardless, when an exit scam 
occurs, the participants are often left with no option to recoup their losses or 
products (Riley, 2019). Thus, there is no one strategy that can be employed to 


ensure that an individual gets what they want from any transaction involving 


illicit goods in online markets. 
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Box 12.2. The Risk of Exit Scams in Dark 
Web Markets 


“The ‘Exit Scam’ Is the Darknet’s Perfect Crime” 


https://www.vice.com/en/article/xyw7xn/darknet-slang-watch- 


exit-scam 


It turns out that a logistical problem with darknet markets is that when 
a vendor throws in the towel, it’s very tempting for him or her to stop 
mailing drugs but continue pocking customers’ payments for as long 


as possible. 


This article presents a sound overview of the reasons why exit scams occur 
and how Dark Web participants can reduce the risk of being victims of 
such a scheme. The author highlights that while strategies can be employed 
to identify reputable vendors and markets, there is still inherent risk of loss 


because of the illicit nature of the transactions generally. 


The Development and Evolution of Illicit 
Markets Online 


To understand the current state of illicit market operations, we must first assess 
its historical iterations. The nature of these markets developed in tandem with 
changes in technology and the user base of the Internet as a whole. For instance, 
early bulletin boards and news groups were used to facilitate the exchange of 
pornography (Lane, 2000) and arrange off-line drug transactions (Power, 2013). 
Though these interactions demonstrate the utility of the communications 
power of the Internet, hackers were among the first to operate illicit markets 
on the Internet in the 1980s. As noted in Chapters 3 and 5, hackers during this 
time operated a sort of barter system economy where individuals would trade 
information, access to telephone party lines, and pirated software as currency. 
Individuals would give others access to these materials in exchange for access to 
bulletin board systems (BBS) and other resources as a means to gain notoriety 
and demonstrate skills to others (Meyer, 1989). 

As Internet speeds increased and the World Wide Web developed, so too did 
the opportunities for illicit economies to bloom. The rise of the MP3 and CD 


technologies fostered the underground exchange of music via peer-to-peer file 
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sharing services like Napster, and Internet Relay Chats, or IRC (see Chap- 
ter 5). The development of IRC was particularly impactful on the formation 
of illicit economies, as it enabled individuals to amass collections of music and 
media (Cooper & Harrison, 2001; Nhan, 2013). The servers hosting these chan- 
nels became hotbeds for piracy communities focused on uploading and down- 
loading content, and soon came to the attention of federal law enforcement for 
violations of the Digital Millennium Copyright Act. 

In the late 1990s and early 2000s, the rise of e-commerce platforms and 
digital currencies enabled the formation of illicit markets based on financial 
transactions between buyers and sellers. Some of the first markets focused on 
the sale of credit and debit card data, whether on IRC channels or in forums 
operating on the World Wide Web (see Chapter 6; Holt et al., 2016). The 
development of botnet malware and its utility to send spam email and denial of 
service (DOS) attacks fostered the growth of cybercrime-as-service vendors as 
well (see Chapter 4; Holt, 2013; Hutchings & Clayton, 2016). There were even 
novel attempts to sell drugs, such as ecstasy, through chat rooms, though the 
transactions appeared to take place offline (see Box 12.3; May & Hough, 2004). 

The rapid growth in e-commerce around the world, coupled with expanded 
Internet use, led to a boom in illicit market operations in the early and mid- 
2000s. Much of the activity shifted from IRC to forums, due in part to their 


Box 12.3 Early Drug Sales Online 
13 on Staten Island Accused in Internet Sales of Illicit Drugs 


https://www.nytimes.com/1999/11/17/nyregion/13-on-staten-island- 


accused-in-internet-sales-of-illicit-drugs.html 


The police called the investigation “Operation You’ve Got Jail.” 
Inspector McCool said that detectives from the computer crimes unit, 
using fake user names, logged into public chat rooms on America 
Online where the gang members arranged sales of Ecstasy, hallucino- 
genic mushrooms, Special K and other drugs popular at night clubs and 


among high school and college students. 


This article provides important historical insights into the nature of illicit 
drug sales online, as the individuals arrested in this sting were thought to 


be among the first to be arrested for arranging drug sales via chat rooms. 
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ease of use and ability to be coupled with other forms of online communication 
and commerce. Researchers began to examine the ways forum communities 
grew around activities like prostitution, and monetized forms of sex work like 
camming (see Chapter 6; Weitzer, 2012). Services like Craigslist also came to 
the attention of criminals as a means to covertly sell stolen goods, prostitution, 
and even hitmen services (Carr, 2011). 

The expansion of illicit economies in online spaces led to increased attention 
from law enforcement, culminating in a series of undercover investigations to 
disrupt their operations. Coordinated multinational law enforcement operations 
were used to take down major underground forums like the Shadowcrew, the 
members of which trafficked in over 1.7 million credit cards and pieces of per- 
sonal information (Holt, 2010). Craigslist was also targeted for its role in prosti- 
tution in the late 2000s, as sex workers could regularly post messages advertising 
their services at no cost through their Erotic Services section (see Chapter 6; 
Carr, 2011; Weitzer, 2012). Even third-party payment processers were impli- 
cated for their role in enabling online illicit markets (Holt et al., 2016; Hutch- 
ings & Holt, 2015). For instance, the operators of a digital currency system 
called e-Gold were arrested and charged with money laundering and other 
offenses in 2008 (see Box 12.4; Zetter, 2008). 

Though these enforcement actions had short-term impacts to the illicit 
market space, the majority of vendors and customers found other platforms to 


Box 12.4 Taking Down E-Gold 
Bullion and Bandits: The Improbable Rise and Fall of E-Gold 


https://www.wired.com/2009/06/e-gold/ 


The story of the first digital currency backed entirely by gold and silver 
began in 1995, while Jackson was still treating cancer patients. 


This article traces the development of e-Gold as a form of digital currency, 
which was created by Douglas Jackson, from its humble beginnings to its 
value as a resource for payments between cybercriminals for a range of 
offenses. This story provides a balanced discussion of the challenges of reg- 
ulating online currencies and potential for misuse by all manner of crim- 
inals regardless of the service provider’s relationship to law enforcement. 
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use to engage in transactions. Backpage and escort review sites quickly 
replaced Craigslist as an advertising platform for paid sexual encounters 
(Weitzer, 2012). New services like Liberty Reserve and Web Money replaced 
e-Gold as preferred payment platforms, though they were also subject to law 
enforcement actions (Holt & Bossler, 2015). A number of cybercrime mar- 
kets also shifted toward closed access models to help minimize external pen- 
etration by law enforcement and security researchers (Dupont et al., 2017; 
Holt et al., 2016). 


For more information on legal actions against the payment service 
Liberty Reserve, go online to: https://www.youtube.com/watch?v= 
pOVbOcCA1_A 


Perhaps the most dramatic shift in online illicit market operations occurred 
in 2011 with the creation of the Dark Web market called the Silk Road. The 
website was hosted on TOR, or The Onion Router, which is a free encryption 
software operating via a browser plugin. Individuals using TOR become part of 
a global network of users, where everyone’s web traffic is routed through one 
another’s Internet connection (Barratt, 2012). This functionality enables indi- 
viduals to hide their IP address and location in physical space by virtue of hiding 
behind other users’ Internet connectivity (Barratt, 2012). The same is true for 
webservers hosted on TOR, making it difficult for law enforcement to eftec- 
tively shut down websites because they may not be able to physically associate a 
server to a specific service provider or physical location (Décary-Hétu et al., 
2016). In fact, sites hosted on the TOR network end in the extension. onion 
and can generally only be opened via the TOR browser or specialized plugins 


for open web browsers. 


For more information on TOR, go online to: https://www. A al 
torproject.org/ fr 


The Silk Road was created by Ross William Ulbricht, who used the online 


handle Dread Pirate Roberts. The site was created as a retail platform to sell 


all manner of goods from international vendors, which quickly included illicit 
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narcotics (Barratt, 2012). The fact that individuals began selling drugs through 
this platform was not necessarily novel. What was ingenious was the fact that 
individuals paid vendors for their products using an electronic currency called 
Bitcoin (Barratt, 2012). It is known as a cryptocurrency, in which the details 
of transactions between participants are stored in a decentralized database 
called blockchain (Martin, 2014). This enables participants to follow the path 
of payments between two parties, but in a way that cannot be immediately 
associated to a real person. As a result, participants can feel secure in the 
notion that outsiders will not be able to know any details about the real iden- 


tities of participants. 


For more information on the nature and use of blockchain tech- 
nologies, go online to: https://www.youtube.com/watch?v=SSo_ 
EIwHSd4 


The combination of a TOR-based site where only TOR users can access the 
content and encrypted payment systems was extremely revolutionary in the 
evolution of online market practices. These operations became known as cryp- 
tomarkets, reflecting the use of encryption in both site operations and payment 
systems (Martin, 2014). As a result, the site generated massive attention from 
media and law enforcement, which may have helped increase its overall visibil- 
ity in the underground. The site was eventually taken down through an 
FBI investigation, culminating in the arrest of the Dread Pirate Roberts on 
October 2, 2013 (Gibbs, 2013). 


For more information on the arrest of Dread Pirate Roberts, go 
online to: http://arstechnica.com/tech-policy/2013/10/how-the-feds- 
took-down-the-dread-pirate-roberts/ 


Other cryptomarkets quickly emerged in parallel to the Silk Road to gain 
a share of the extremely lucrative profits generated from the sale of illicit 
goods via TOR. When the Silk Road was taken down, vendors moved to 
other markets and found receptive audiences seeking out products (Décary- 
Hétu & Giommoni, 2017). Some vendors also created their own unique Dark 
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Web sites to advertise their products (Décary-Hétu et al., 2016; Smirnova & 
Holt, 2017). These sites are sometimes referred to as shops in which they 
serve as e-commerce platforms created and operated by individual vendors to 
offer their products directly to potential customers (Martin, 2014; Smirnova 
& Holt, 2017). For instance, there are a number of shops that claim to sell 
firearms and explosive devices to individuals around the world (Copeland 
et al., 2020). 

As the Internet and various technologies continue to evolve, so too will the 
practices of illicit markets in online spaces. The rise of cryptomarkets and Tor 
will likely be supplanted by some other platform in the near future, whether 
because of increased attention from law enforcement or more easy-to-use 
tools for buying, selling, and accessing customers. The increasing availability of 
encrypted messaging apps may also foster transformations in the process of buy- 
ing and selling illicit goods (see Box 12.5). Thus, there is a need for researchers 
and law enforcement to continuously examine illicit markets in online spaces so 


as to better understand their social and financial processes. 


Box 12.5 Charting New Directions for Online Illicit 
Markets 


Social Media Has Provided a New Marketplace for Drugs and 
Police Are Struggling to Keep UP 


https://www.abc.net.au/news/2020-08-24/rise-and-challenge-of- 
social-media-drug-dealing/12545320 


Three years ago Alex began using social media to sell drugs — and 
business took off. “Before social media, I usually got about five clients 
daily,” says Alex, who didn’t want to use their real name or reveal his 
or her gender. 


This article highlights changes in the ways that drug vendors have adapted 
to platforms like Facebook as a means to advertise encrypted applications 
channels where they can sell product with minimal risk. The individuals 
interviewed note that such platforms are far less visible than Dark Web 
shops and forums and demonstrate how drug transactions and advertising 
will change along with shifts in technology. 
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Contextualizing the Practices of Illicit Market 
Participants 


The diversity of products sold through illicit market operations on the Open 
and Dark Web call to question how vendors and buyers actually complete trans- 
actions and receive goods, especially narcotics and guns. The practices of ven- 
dors are actually quite consistent, regardless of whether the items are physical 
products, like a gun or a fake passport, or digital products like credit card data 
(Copeland et al., 2020; Décary-Hétu et al., 2016; Holt & Lee, 2020; Roddy & 
Holt, 2020). The process begins in earnest with an individual vendor making an 
ad for their product, whether through a post in a forum or cryptomarket or via 
their own website or shop. The more detail they can give, the more likely they 
are to be viewed as legitimate, in which transparency appears to create a degree 
of reliability for the seller (Copeland et al., 2020; Tzanetakis et al., 2015). 

Any attempt to demonstrate the specific characteristics of their products is 
helpful, such as pictures of a gun that are not stock photos, or images of one’s nar- 
cotics. Providing detailed descriptions of malware or its functions is also useful, as 
is allowing potential buyers to sort their data for sale by geographic place, or by 
card type (Dupont et al., 2017; Holt et al., 2016). In the case of physical goods 
sellers, the more information that they can provide to highlight their shipping 
process, the more it may help to instill trust in the vendor (Copeland et al., 2020; 
Décary-Hétu et al., 2016). For instance, noting that they ship in plain brown 
wrapping, or conceal the real item in other materials, is helpful as it demonstrates 
to customers that they are concerned about the security of goods in transit. 

Additionally, advertisements typically indicate the price for goods which will 
vary based on the nature of the product. As an example, credit card vendors may 
provide a price based on piece counts to encourage customers to buy in bulk 
(Herley & Floréncio, 2010; Smirnova & Holt, 2017). Drug vendors may indicate 
pricing by the gram or ounce depending on the type of narcotic they are selling 
(Décary-Hétu et al., 2016). Counterfeit identity documents may also provide spe- 
cific pricing based on the type of document being purchased, with higher prices 
for passports relative to drivers’ licenses or state ID cards (Holt & Lee, 2020). 

A more reputable advertisement will also provide the vendor’s preferred 
means of payment. In some instances, they may list their cryptocurrency wallet 
details to enable direct transfers of funds for product (Décary-Hétu et al., 2016; 
Moeller et al., 2017). Additionally, vendors will list their preferred methods of 
communication, which vary based on whether the seller operates on the Open 
or Dark Web. Individuals on the Open Web may allow contacts through instant 
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messaging platforms like Jabber or ICQ, as well as a variety of email addresses 
(Hutchings & Clayton, 2016; Hutchings & Holt, 2015). Some actors on both the 
Open and Dark Web may also use less public communications platforms, such as 
internal messaging systems in forums, or contact sheets that go directly to website 
owners in the case of shops (Copeland et al., 2020; Roddy & Holt, 2020). 

There is a great deal of evidence suggesting that Dark Web vendors and 
customers utilize encrypted email systems for communications (Décary-Hétu 
et al., 2016; Martin, 2014). These platforms are extremely helpful to conceal 
one’s activities from law enforcement and outsiders as they often do not log per- 
sonal information, like one’s name or IP address. In addition, the email systems 
utilize software that encrypts message content from user to user and while in 
storage (Martin, 2014). Individuals can only read the content when the correct 
decryption key is applied, which is only available to the account holder. As a 
result, messages cannot be read while they are in transit, nor by the service pro- 
vider. This creates substantial protection for individuals who do not want their 
messages to be observable by any outside party (Décary-Hétu et al., 2016). 

The customer must then make contact through whatever means required in 
order to provide the vendor with their order request. As noted earlier, buyers 
are typically required to provide funds up front to the seller, assuming a degree 
of risk because the vendor may not actually provide working data, malware, or 
physical goods (Copeland et al., 2020; Holt & Lampke, 2010). This is particu- 
larly true in the case of some physical goods, like firearms and narcotics, as the 
products may take some time to be delivered. Vendors typically use common 
package delivery services like DHL, UPS, and FedEx, with some even deliver- 
ing through traditional national postal services (Copeland et al., 2020; Décary- 
Hétu et al., 2016). 

The process of physically shipping illicit goods dramatically increases the risk 
of arrest for one or both parties as the item may be discovered in transit (Décary- 
Hétu et al., 2016). This is exemplified by the number of arrests in Australia and 
the UK stemming from individuals buying firearms on the Dark Web that ship 
from the United States (see Box 12.6 for information). Weapons have been 
identified by Homeland Security investigators before they leave the country, at 
which point they notify law enforcement in the destination country (Copeland 
et al., 2020). The packages are allowed to ship to their final destinations, which 
are being monitored by local law enforcement. Once received, police then arrest 
the individuals on charges related to illegal purchase and possession of firearms. 


Should an individual actually receive the goods that they paid for, there a 


few different outcomes that may occur. First, if the product is as advertised, 
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Box 12.6 Dark Web Gun Sales and the Law 


Teenager Jailed for 16 Years after Buying Gun and 
Ammunition on Dark Web 


https:// www.shropshirestar.com/news/uk-news/2019/09/13/teenager- 


jailed-for-16-years-after-buying-gun-and-ammunition-on-dark-web/ 


He used the cryptocurrency Bitcoin to purchase a Glock 17 handgun 
and five rounds of ammunition from an online gun dealer on the dark 


web, ordering it to his family home in Glouster [England]. 


This article highlights the risk of Dark Web weapon sales for offline crimes, 
as a 19-year-old man named Kyle Davies was arrested in Glouster, Eng- 
land, for purchasing a firearm through a shop. The weapon was identified 
by US law enforcement officers in transit, who notified the UK police. 
They arrested Davies upon delivery of the weapon, and a search of his 
home revealed evidence he was planning a mass shooting. His arrest may 
have stopped an act of serious violence from happening. 


they may use it in whatever way they see fit, and simply enjoy their purchase 
(Copeland et al., 2020; Holt & Lee, 2020). Second, some may choose to post a 
review, feedback, or provide details to online associates about the quality of the 
product (Décary-Hétu et al., 2016; Martin, 2014). Such effort is often valuable 
for both other customers to know what vendors are reliable, as well as the ven- 
dor to help increase their potential customer base. 

A third option involves receipt of an incorrect item or some other problem 
with the product. Should this occur, the customer must carefully review the 
terms of service for their purchase (Holt & Lee, 2020; Hutchings & Clayton, 
2016). This may be a relatively informal set of rules posted by a vendor in their 
shop or forum advertisement, or can be far more explicit and detailed in the case 
of some cybercrime-as-service providers. Some vendors clearly state that they 
do not offer refunds, while others may provide conditional returns or refunds 
if it is within a certain amount of time after purchase, or there was an error in 
producing the item (Dupont et al., 2017; Holt et al., 2016; Hutchings & Holt, 
2015). Vendors who make such claims are often viewed as being more reliable 
as they are offering a degree of customer support and service, which helps to 


retain repeat customers over time. 
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Debunking Claims Related to Illicit Market Operations 


Though research regarding online illicit markets has grown substantially in the 
last decade, there are still many questions and myths that abound about their 
operations. Media portrayals of the Dark Web suggest anything can be found 
there for a price with a heavy emphasis on unusual and frightening content. For 
instance, a video game was released online in 2016 called Welcome to the 
Game (Hospodar, 2021). The plot centers around the player accessing the Dark 
Web to find a red room, where someone is streaming the live torture of a 
person. The player must examine the code of various websites in the game to 
determine the URL of the red room, while avoiding having their computer 
hacked or being kidnapped by an online enemy (Hospodar, 2021). Once 
entered, the player then watches a cutscene of the red room’s executioner tor- 
turing and eventually killing someone. The game was so popular that a sequel 
was released in 2018, which places the player into the plot as a reporter trying 
to solve a kidnapping that appears to have been orchestrated by a group of indi- 
viduals operating on the Dark Web (Hospodar, 2021). The threats to the player 
increase in this version, including a hitman hired on the dark web to kill them, 
and hackers who can be stopped by buying tools from hacker marketplaces on 


in-game illicit online markets. 


For more information on the video game series Welcome to the 
Game, go online to: https://www.pcgamer.com/hack-the-deep-web- 


and-hide-from-hitmen-in-oftbeat-horror-game-welcome-to-the-game-2/ 


The popularity of this game series helps to reinforce myths about aspects 
of the illicit operations occurring online. The primary conceit of the series 
regarding the operation of red rooms on the Dark Web, where individuals can 
pay money to view the live torture, or murder of a human being, has yet to 
be proven (Pettit, 2021). There is virtually no documented evidence of these 
rooms truly featuring live torture or murder, though one need only look to 
YouTube and other video streaming sites on the open web to see gruesome 
images of human tragedy (Pettit, 2021). Additionally, as noted in Chapter 8, 
there is a massive amount of images and video content of children being sexu- 


ally and physically abused online. There are also various places where individu- 


als can livestream this content and direct the behavior of participants. 
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The fact that such horrific content can be found in various parts of the 
Internet calls to question why anyone would pay for such content on the Dark 
Web. It may be due in part to curiosity over finding this content and seeing it 
for oneself to satisfactorily address the question of whether they are real (Pettit, 
2021). It is more likely that any site advertising itself as a red room is actually 
only taking the individual’s money as a scam (see Box 12.7). There are limited 
examples of individuals actively seeking out serious abuse and red room content 
online. For instance, an Italian police investigation of child sexual abuse led to 
the arrest of two Italian teens after they paid to see the serious sexual abuse, 
torture, and murder of children via live stream (Zmudzinski, 2020). The two 
used the term red room to refer to the content they viewed, though it is not 
clear if they were seeking this content as a function of their sexual proclivities 
or an interest 1n torture. 

In much the same way, there are number of ads that can be found imme- 
diately on the Dark Web where individuals offer their services as hitmen, or 
individuals willing to engage in violence for a fee on behalf of others (Bateman, 
2021; Roddy & Holt, 2020). Some of the ads are clearly false, as they may be less 
than a page and use vague language, suggesting they will do anything to anyone 
for money. At the same time, some vendors take careful steps to use photos, 
carefully crafted language, and provide full price sheets (Roddy & Holt, 2020). 
These ads often use language indicating the hitman has prior military experience 


Box 12.7. Assessing the Red Room Phenomenon 


In Search of the Darkest, Most Disturbing Content on the 
Internet 


https://www.washingtonpost.com/news/the-intersect/wp/2015/09/02/ 


in-search-of-the-darkest-most-disturbing-content-on-the-internet/ 


Late last week, a rumor both disturbing and riveting began circling 
forums like 4chan and Reddit. A mysterious group claimed to have 
captured several Islamic State fighters—and promised to torture and 
kill them live on the Dark Web. 


This article explores and attempts to briefly debunk the notion of red 
rooms on the Internet, and the broader challenge of identifying fact from 
fiction on the Dark Web. 
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or were involved in organized crime activities (Bateman, 2021). Additionally, 
an analysis of multiple advertisements’ pricing was in line with amounts paid 
to individuals who were contracted for violence through in-person contacts 
(Roddy & Holt, 2020). 

Though the use of such language and pricing may give the vendor a sheen of 
legitimacy, it is unclear whether vendors actually offer the services they list (see 
Box 12.8). Most media reporting on hitmen services suggest they are not real 
and only seek to rip off potential customers. Several journalists and bloggers have 
noted that the website operators paid off individuals who say negative things about 
the vendors to hide their scams (Bateman, 2021). Others attempted to silence 
critics by taking extreme steps like threatening them with violence. For instance, 
a researcher named Chris Montiero who focuses on Dark Web hitmen has shared 
videos of people holding his personal information on handwritten notes in front 
of burning cars as a veiled threat of what may happen to him (Bateman, 2021). 
He has not, however, found any evidence supporting the notion that hitmen 


advertising online actually provide the services they are paid for. 


Box 12.8 The Threat of Hitmen Services on the 
Dark Web 


“| Kept Looking Over My Shoulder”: Teen Suspects 
Ex-Boyfriend Targeted Her in Dark Web Hit Job 


https:// www.oxygen.com/crime-news/alexis-stern-allegedly-targeted- 


online-asssasination-plot-besa-mafia 


In 2018, the Minnesota teenager [Alexis Stern] learned she was the 
target of a mysterious online assassination plot. Detectives told Stern 
that a user by the name of Mastermind 365 had paid roughly sev- 
eral thousand dollars in bitcoins to have her murdered. She thought 
she was being pranked. 


This article explores the unclear nature of online hitmen advertisements, 
but the real risks presented by allowing individuals with an avenue to pay 
others for the threat of violence. The story explains how a paid contract 
against Alexis Stern appeared online and the ways that both local and 
federal police have responded to the threat against her life. Readers will 
understand the challenge such a case may present for police. 
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Similar claims have emerged around kidnapping as an ancillary component 
of Dark Web hitmen service providers (Bateman, 2021; Roddy & Holt, 2020). 
A British model named Chloe Ayling was kidnapped in Milan Italy during July, 
2017. She was a model and was traveling for a photo shoot arranged by her 
agent. While there, she was injected with ketamine, stuffed into a large bag, and 
driven in the trunk of a car to a remote farmhouse (Hattenstone, 2018). Her 
kidnappers claimed to be The Black Death Group, consisting of Dark Web 
human traffickers operating out of Romania. They claimed to specialize in the 
sale of sex slaves and ran various websites featuring pictures of women who they 
claimed were available for sale (Hattenstone, 2018). Chloe was to be their next 
auction item if her family did not pay a ransom. 

Fortunately, there is no such group known to operate in the real world. 
Interpol investigated their operations, though there was no evidence to suggest 
their claims of trafficking were real (Hattenstone, 2018). In fact, the sites were 
operated by a 30-year-old Polish man named Lukasz Herba. He staged both the 
photo shoot and the kidnapping with assistance from his brother, Michael (Hat- 
tenstone, 2018). He also appeared to have brainwashed Chloe into believing the 
group existed and that he loved her and wanted to help her escape the group’s 
clutches. They both traveled to Milan and appeared outside of the English con- 
sulate days after the kidnapping and requested assistance (Hattenstone, 2018). 

Shortly after Lukasz was arrested and eventually found guilty of kidnapping 
by the Italian criminal justice system. The trial revealed the extremely convo- 
luted and unusual circumstances of the case, as Ayling and Herba were observed 
shopping for shoes together while she was supposedly attempting to escape from 
the kidnappers. In addition, Ayling has seemingly focused on garnering media 
attention from the kidnapping and seems relatively unaffected when discussing 
her experiences (Hattenstone, 2018). Instances such as these, where the realities 
of the incidents cannot be fully observed, enable outrageous claims of the goods 


and services for sale on the dark web to proliferate and gain legitimacy over time. 


Summary 


Taken as a whole, computers, mobile devices, and the Internet provide an envi- 
ronment where illicit products can be sold in parallel to real-world goods mar- 
kets. There are many similarities between the practices of vendors and their 
customers in both virtual and real spaces, though there are some distinctions 
in the ways that they must manage risks to their operations. The existence of 
illicit markets online also enables the spread of myths and untruths about what 


kinds of services may be obtained, which may only cause further harm to others 
as with hitmen and kidnapping services. As a result, there is a need for vigilant 
efforts by law enforcement, ISPs, and other place managers to regulate online 
spaces and limit the spread of these goods markets over time. 
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Key Terms 


Bitcoin 

Black Death Group 
Blockchain 

Closed market 
Cryptocurrency 
Cryptomarket 

Darkode 

E-Gold 

Encrypted email 

Exit scam 

Hitman 

Internet Relay Chat (IRC) 
Open markets 

Red room 

Shop 

TOR (The Onion Router) 


Welcome to the Game 


Discussion Questions 


1. Who do you think faces the greatest risk for engaging in an illicit mar- 


ket online, such as for narcotics or stolen data? Is it the customer or the 


vendor? Why? 


2.In a post-COVID-19 world, how do you think illicit markets will 
change? Do you think more people will move to online spaces for buying 
and selling anything illegal? 

3. What myths or ideas have you heard about what can be purchased on the 
Dark Web? What is the most outrageous thing, and why do you think 


that myth persists? 
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Chapter Goals 


e Understand how traditional criminological theories can be applied to 
cybercrime offending and victimization 

e Assess the usefulness of specific criminological theories, such as social 
learning theory and the general theory of crime, in explaining a variety 
of cybercrimes 

¢ Compare a situational theory of victimization with an individual-level 
explanation to understand cybercrime victimization 


e Explore whether new cybercrime theories are necessary 


Introduction 


Over the last several decades, scholars have debated how cybercrime offending 
differs from traditional crime. This textbook has demonstrated so far that moti- 
vations for cybercrime offending are typically the same as those for traditional 
offending. Financial incentive is a substantial motive for some hackers, malware 
writers, and virtually all fraudsters. Individuals who download legal and illegal 
pornography enjoy the easy access to material that satisfies their sexual desires. 
Online harassment, similar to traditional bullying, allows someone to hurt oth- 
ers and therefore have power over them from a distance. There is also the thrill 
and rush for deviants that are associated with harassing others, downloading 
pornography, swindling others, and breaking into a computer system. Thus, 
Grabosky’s (2001) comment seems apt: 


Computer crimes are driven by time-honoured motivations, the most obvi- 
ous of which are greed, lust, power, revenge, adventure (p. 243), and the 
desire to take “forbidden fruit.” None of the above motivations is new. The 
element of novelty resides in the unprecedented capacity of technology to 


facilitate acting on these motivations. (p. 244) 


As a result, cybercrime could be viewed as “old wine in a new bottle” (Gra- 
bosky, 2001; Wall, 1998). If this is the case, traditional criminological theories 
should have no difficulty in explaining cybercrime if it is simply “old wine.” 
The previous chapters, however, illustrated that there is something unique 
about cybercrime that separates it from traditional criminal activity. Although 


it might be the same “old wine,” there are instances of “new wine,” such as 
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malware creation, that has little connection to the physical world. The second 
part of this analogy, the new bottle, is also pertinent in that virtual space is 
different than physical space. The Internet allows easy access to most people 
around the world and provides an avenue for individuals to engage in cyber- 
crime while feeling largely anonymous. The Internet also allows the offender, 
whether an individual, group, or nation-state, to avoid making physical contact 
with the victim or his/her property. Thus, cybercrime may not be viewed as 
“old wine in new bottles” or even “new wine in new bottles,” but “rather 
many of its characteristics are so novel that the expression ‘new wine, but no 
bottles!” becomes a more fitting description” (Wall, 1998, p. 202). 

In addition, examining the uniqueness of cybercrime might allow us to 
better understand more about these phenomena as well as provide brand new 
insights on traditional forms of crime (Holt & Bossler, 2016). Discussions of 
new cyber-specific criminological theories might be a catalyst for additional 
theoretical creation and elaboration. Taken as a whole, this chapter will show 
that the future of cybercrime research is bright. Studies that elaborate complex 
associations that have been held in the traditional literature for decades will 
also provide new insights into the commission of crime — both traditional and 
cyber related. 

Unlike traditional criminological textbooks that place theories into catego- 
ries (e.g., classical and positivist) and then cover each theory in chronological 
order, our focus is on how criminological theories have been applied to cyber- 
crime. Thus, we focus on the theories that have been examined the most often 
and have therefore provided substantive insights into why individuals commit 
or do not commit these offenses. Considering that a subcultural framework has 
been used extensively through this text, we first begin with a discussion of sub- 
cultural research on cybercrime; readers should consider the information they 
read in the first 12 chapters for more detail. The two strongest competing theo- 
ries for explaining cybercrime based on empirical support — Ron Akers’ (1998) 
social learning theory and Gottfredson and Hirschi’s (1990) general theory of 
crime — will then be discussed. The chapter then progresses to cover theories 
that have recently been receiving more attention in the cybercrime literature 
but still have not received the same level of focus as social learning theory 
and the general theory of crime — Agnew’s general strain theory, techniques 
of neutralization, and deterrence theory. Two victimization theories that have 
been used to better understand cybercrime victimization — routine activity the- 


ory, a situational theory of victimization, and the general theory of crime, an 


individual-level theory — are then described and assessed. We finally conclude 
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with a discussion of how a traditional criminological theory has been modified 
to better understand cybercrime — digital drift theory. 


Applying Criminological Theories 
to Cybercrime Offending 


Subcultural Theories 
Overview 


Most criminological theories focus on offending as a consequence of individual- 
level factors that may be affected through properly targeted intervention strat- 
egies. These theories, however, do not explore the meaning that offending has 
for some individuals and the depth of their participation in peer networks that 
may facilitate criminal activity. Researchers who explore criminality through a 
subcultural lens can provide substantive depth on the how and why of criminal 
behavior (Miller, 1958; Short, 1968). 

Defined from a broad perspective, a subculture is any group having cer- 
tain values, norms, traditions, and rituals that set them apart from the domi- 
nant culture (Brake, 1980; Kornblum, 1997). Subcultures form as a response to 
either a rejection of the dominant culture (Miller, 1958) or around a distinct 
phenomenon that may not be valued by the larger society (Quinn & Forsyth, 
2005; Wolfgang & Ferracuti, 1967). This includes an emphasis on performing 
certain behaviors or developing skill sets (Maurer, 1981) and learning the rules 
or codes of conduct that structure how individuals view and interact with dif- 
ferent groups (Foster, 1990). Subcultures also utilize special terms and slang, 
called an argot. They may also have some outward symbols of membership 
like tattoos or informal uniforms (Maurer, 1981). Thus, demonstrating such 
knowledge illustrates an individual’s reputation, status, and adherence to a par- 
ticular subculture. 

In many ways, subcultural frameworks share common elements of social 
learning theory (Akers, 1998), since involvement in a subculture influences 
behavior by providing individuals with beliefs, goals, and values that approve 
of and justify particular types of activities, including crime (Herbert, 1998). 
In fact, the transmission of subcultural knowledge increases the likelihood of 
involvement in criminal behavior despite potential legal consequences for these 
actions (Miller, 1958; Short, 1968). As such, subcultural frameworks provide an 
important perspective to explain how the values and ideas espoused by members 


of a group affect the behavior of its members. 
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Subcultures and Cybercrime 


The development of the Internet and computer technology has had a dramatic 
impact on the formation of and participation in deviant or criminal subcultures 
(DiMarco & DiMarco, 2003; Holt & Bossler, 2016; Quinn & Forsyth, 2005). 
The anonymity and distributed nature of the Internet enables individuals to con- 
nect to groups that share similar likes, dislikes, behaviors, opinions, and values, 
regardless of the participants’ locations in the real world (DiMarco & DiMarco, 
2003). Some individuals may not be able to discuss their interests or activities 
with others in the real world due to fear of legal reprisal or concerns that others 
around them may reject them because they do not share their interests. 

Technology allows individuals to connect to others without these fears and 
even provide information about a behavior or activity to improve their knowl- 
edge and minimize fear of detection (Blevins & Holt, 2009; Holt, 2007; Quinn 
& Forsyth, 2005). Individuals can readily communicate subcultural knowl- 
edge through email and other forms of computer-mediated communications, 
or CMC (Holt & Copes, 2010; Holt et al., 2008). In turn, this information 
can increase the likelihood of success when engaging in illicit behavior despite 
potential legal consequences. Thus, the value of the Internet and CMCs with 
individuals across the globe is pivotal in the pursuit of crime and deviance online 
and offline. 

Throughout this textbook, we have used the subcultural framework exten- 
sively to describe the individuals that participate in a certain activity as well as the 
beliefs, structures, and interactions that provide support to them in opposition 
to community norms and standards that have defined them and their behavior 
in many cases as deviant or criminal. In Chapter 3, we explored the hacker sub- 
culture, devoid of Hollywood portrayals, and its primary norms of technology, 
knowledge, learning, and secrecy, regardless of the individual’s involvement in 
malicious hacking. Chapter 4 described how the interests and beliefs of malware 
writers are generally congruent with those of the larger hacker subculture. In 
Chapters 7 and 8, we discussed how the Internet has allowed individuals with 
deviant sexual orientations to interact with one another, gain validation for their 
sexual desires, exchange both materials and beliefs, and be part of a commu- 
nity. Finally, Chapter 10 examined the ways the Internet provides a means for 
extremist groups to indoctrinate individuals in favor of their movement. 

Technology allows individuals to be introduced to core principles and norms 
of the group while allowing them to interact with members from a safe physical 
distance. Future cybercrime scholars will continue to find this framework 
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fruitful in explaining how group dynamics affect individuals’ belief systems and 
participation in cyber deviant acts. 


For more discussion on different types of both offline and online 
subcultures, including the hacker subculture, go online to: http:// 


subcultureslist.com/hacker-culture/ 


Social Learning Theory and Cybercrime 
Overview 


Over the last century of research, scholars have found that the most consist- 
ent predictor of future offending is whether an individual has committed an 
offense in the past. Arguably the second most important predictor is whether 
that person has friends or associates who engage in crime and delinquency 
(Pratt et al., 2009). This link between peer behavior and offending has been the 
source of a substantial amount of both research and theory aimed at explaining 
this relationship. 

In 1947, Edwin Sutherland presented in his book, Principles of Criminology, 
one of the first theories to explain the peer-offending relationship: differential 
association theory (Sutherland, 1947). Sutherland argued that criminal behav- 
ior was learned in a process involving interactions and communication with 
others, with the most important interactions stemming from intimate personal 
groups. During this process, an individual not only learned techniques on how 
to commit crimes but also motives, rationalizations, and attitudes that supported 
the violation of the law. A person became more likely to commit delinquent 
or criminal acts when his or her “definitions,” referring to rationalizations and 
attitudes, which supported the violation of the law exceeded those that were 
unfavorable to breaking the law. Criticisms over the years, however, have cen- 
tered heavily on the theories: (1) testability; and (2) lack of specificity on the 
learning process mechanisms responsible for the commission of deviant and 
criminal behavior (Kornhauser, 1978; Matsueda, 1988). 

Since the 1960s, Ron Akers has reformulated differential association theory 
to specify the learning mechanisms through which criminal behavior is learned. 
In what has become known as social learning theory, Akers (1998) expanded 
upon Sutherland’s original differential association theory by introducing prin- 
cipal components of operant conditioning, namely, that behavior followed by 
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rewards or reinforcements will be more likely to continue while acts followed 
by punishment will be less likely (Akers, 1998). Thus, Akers’ (1998) social learn- 
ing theory argued that the learning process of any behavior, including crime, 
includes four principal components: (1) differential association; (2) defini- 
tions; (3) differential reinforcement; and (4) imitation. 

This dynamic learning process begins by associating with others, both devi- 
ants and nondeviants. Differential associations to deviants provide both mod- 
els for deviant behavior and definitions, such as attitudes and norms, which 
may favor breaking the law or providing justifications that neutralize possible 
negative consequences of deviance. Following Sutherland’s differential associ- 
ation theory, social learning theory holds that individuals who have a greater 
proportion of beliefs supportive of deviant behavior will be more likely to 
engage in those activities. 

Although definitions supporting criminal activity are critical to the offender 
to justify their behavior, criminality will occur if it is reinforced through some 
means, whether social or financial. For example, an individual who perceives 
that he will receive praise from his friends for throwing a rock through a win- 
dow will be more likely to throw the rock. If that praise comes, he will be more 
likely to continue this behavior in the future. Perceived or actual punishments, 
however, will decrease the likelihood of that behavior. The punishments can 
take the form of adding negative stimuli, such as spanking or arresting, or can 
be in the removal of positive stimuli, such as taking away television privileges. 
Finally, imitation plays a major role in the social learning process as individuals 
may engage in deviant behavior after watching someone else engage in the 
same behavior. Imitation plays a larger role in the earlier stages of the learning 
process. As the process continues, however, definitions and differential rein- 
forcements become more important. Social learning theory has been one of the 
most commonly tested criminological theories and arguably has received the 
strongest empirical support to date in its favor for explaining a wide variety of 
behaviors (Akers & Jensen, 2006; Lee et al., 2004; Pratt et al., 2009). 


Social Learning Theory and Cybercrime 


Given the support Akers’ (1998) theory has in the larger research community, 
it is no surprise that scholars have seen its potential importance in explaining 
why individuals commit cybercrime. The complexities of computer program- 


ming make the connection between learning and cybercrime quite apparent. 


Depending on the specific cybercrime, individuals must “learn not only how 
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to operate a highly technical piece of equipment but also specific procedures, 
programming, and techniques for using the computer illegally” (Skinner & 
Fream, 1997, p. 498). Even though computer technology has become more 
user-friendly due to convenient interfaces, there is a need for a learning process 
in which the basic dynamics of computer use and abuse are learned from others. 

Digital piracy (see Chapter 5) at first does not seem overly complex. Some- 
one simply downloads a music or movie file without authorization. Social learn- 
ing theory would hold that in order for individuals to commit digital piracy, 
they must participate in a social learning process. The individual must interact 
with fellow digital pirates, learn how and where to perform downloads, imitate 
what they have observed, learn definitions supportive of violation of intellectual 
property laws, and be rewarded either financially or socially for their efforts in 
order for the piracy to continue. 

Virtually every study examining digital piracy finds that associating with 
pirating peers, regardless whether the interaction is face-to-face (Bossler, 2021; 
Burruss et al., 2019; Higgins & Marcum, 2011; Holt et al., 2012) or virtual 
(Miller & Morris, 2016), is the most significant correlate in predicting pirat- 
ing behaviors. Friends and intimate relationships can provide information on 
the methods required to engage in piracy and the location of materials on the 
Internet. Piracy requires some technological skill that can be garnered through 
direct associations with others. The continuous technological developments 
noted in this community also require peer associations in order to readily iden- 
tify new mechanisms to download files. Individuals are then able to engage in 
simple forms of piracy through imitation (Hinduja, 2003; Holt & Copes, 2010; 
Holt et al., 2010; Ingram & Hinduja, 2008; Skinner & Fream, 1997). As pirat- 
ing becomes easier for an individual, the need for these delinquent associations 
could decrease. Furthermore, positive reinforcement for participation in soft- 
ware piracy is evident through both financial (1.e., free movies and music) and 
social (i.e., praise for showing someone how to use torrent sharing software) 
rewards (Hinduja, 2003; Holt & Copes, 2010; Van Roojy et al., 2017). 

Studies have also shown that pirates have both definitions that favor the vio- 
lation of intellectual property laws and techniques of neutralization that dimin- 
ish their personal responsibility for their actions (Brown, 2016; Burruss et al., 
2019; Higgins & Marcum, 2011; Ingram & Hinduja, 2008; Skinner & Fream, 
1997). Members of the piracy subculture espouse attitudes that minimize the 
impact of copyright law and the harms caused by pirating media. For instance, 
individuals who pirate materials commonly justify their actions by suggesting 
that downloading a few songs or media does not actually harm the property 
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owners or artists (Brown, 2016; Higgins & Marcum, 2011; Ingram & Hinduja, 
2008). Pirates also believe that their actions are not inherently wrong since there 
are no clear guidelines for ethical behavior in online environments (Higgins & 
Marcum, 2011; Ingram & Hinduja, 2008). These attitudes are often communi- 
cated between pirates and encourage further participation in piracy over time. 

In much the same way, social learning theorists argue that individuals who 
engage in computer hacking would need to associate with individuals who 
hack. These relationships should increase their likelihood to imitate hacking 
activity early in their development as a hacker as well as be exposed to defini- 
tions favorable to using technology in this fashion. As they participate further 
in the hacker subculture, hacking would be socially reinforced, possibly even 
financially, and the behavior would continue. 

Studies have shown that all four social learning components are empiri- 
cally related to hacking behaviors (Bossler & Burruss, 2011; Skinner & Fream, 
1997). The importance of peer associations in influencing hacking behavior is 
not only found in qualitative studies and anecdotal stories but has been consist- 
ently found to be one of the most important predictors of hacking behavior in 
quantitative studies as well (Bossler, 2021; Bossler & Burruss, 2011; Holt et al., 
2012; Leukfeldt et al., 2017; Skinner & Fream, 1997). Morris and Blackburn 
(2009) found that college students who associate with delinquent youth had 
a larger impact on more serious forms of computer crime, such as attempting 
hacking, malicious file damage, or manipulation, than their attitudes. Delin- 
quent peer associations have been empirically shown to be important in pro- 
viding models to imitate (e.g., Morris & Blackburn, 2009) as well as in the 
introduction and acquisition of beliefs and excuses to justify computer attacks 
(Bossler & Burruss, 2011; Skinner & Fream, 1997). Similar to the arguments 
that the hacker subculture provides positive social encouragement and praise 
for successful and innovative hacks, scholars testing social learning hypotheses 
have found similar results (Bossler & Burruss, 2011; Skinner & Fream, 1997). 
Skinner and Fream (1997) found that teacher encouragement, as well as par- 
ticipation in electronic bulletin boards, increased the likelihood of students 
guessing passwords. 

As discussed in Chapter 3, websites and chat rooms can play a large role in 
the social learning process of hackers. Box 13.1 displays an article that summa- 
rizes different websites where individuals can learn basic ethical hacking skills. 

Scholars have also found social learning theory to be useful in understand- 
ing different forms of online violence. Individuals who associate with deviant 
peers are more likely to cyberbully (Bossler, 2021; Lianos & McGrath, 2018), 
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Box 13.1 Examples of Websites that Provide 
Information on Hacking Techniques 


Best Websites to Learn Hacking 


https://www.compsmag.com/best/websites-to-learn-ethical-hacking/ 


Hacking isn’t an individual subject that anyone can pick up overnight. 
This can’t be accomplished after reading one article and visiting a few 
of these websites — the phrase is used to indicate that in time and with 


a lot of practice, you'll be able to ... hack like a pro. 


This article provides an overview of ten-key websites that can help 
individuals learn to hack ethically. There is inherent value in this arti- 
cle because it demonstrates that information on hacking can be acquired 
through virtual venues with a great deal of ease and engender the learning 


process in meaningful ways. 


cyberstalk (Choi et al., 2017; Marcum et al., 2017), and sexually harass others 
online (Choi et al., 2017). 

Scholars have also begun examining how social learning theory can be 
applied to how the Internet can radicalize youth to support or commit acts of 
terrorism (Freiburger & Crane, 2011; Pauwels & Schils, 2016). Terrorist groups 
have clearly been able to use the Internet to increase membership by gaining 
access to youth around the world (differential association) and communicating 
beliefs (definitions) that support terrorist activities. Within online support sys- 
tems, second-generation youth in new countries may feel isolated and discrimi- 
nated against and may be able to find and communicate with others online who 
are in similar situations. As their feelings intensify and they participate more 
often in online discussions, they will be more prone to accept the definitions 
favoring the particular ideological message promulgated on these websites. In 
addition, the Internet provides strong positive reinforcement in that it can make 
terrorists into instant celebrities, martyrs for the cause, and can glorify them 
long after they died. These reinforcements provide the perception to youth that 
the glory, not to mention increases in self-esteem and self-identity, stemming 
from violence and harm greatly outweigh the negative consequences. Finally, 
the information and videos posted online provide simple steps for someone to 
follow and imitate (Freiburger & Crane, 2011). 


Cybercrime and Criminological Theories 


As the above paragraphs demonstrated, Akers’ (1998) social learning the- 
ory is not just one of the most theoretically and empirically sound theories to 
account for traditional forms of crime, but it also applies equally as well to a 
wide variety of both simple and more complex forms of cybercrime. 


General Theory of Crime 
Overview 


Unlike most traditional criminological theories that focus on examining why 
people commit crime, social control theories ask the opposite question: “What 
causes people to actually conform to the rules?” Control theories argue that 
individuals engage in crime as a function of our basic human nature, and the 
desire to obtain the rewards that crime can bring, whether economic or emo- 
tional. They argue that motivation is generally invariant among all individuals, 
meaning that no one person is any more motivated to commit a crime than 
another. What separates criminals from noncriminals then is the amount of 
control placed on the individual, whether by the law, society, school, family, 
friends, oneself, or other institutions and groups. Criminals simply have less 
control placed upon them, making them freer to pursue their pleasures through 
the most efficient means, which is quite often illegal. 

Over the last two decades, the most popular, parsimonious, and highly 
tested social control theory developed has been Michael Gottfredson and Travis 
Hirschi’s (1990) general theory of crime. The theorists argue that most 
crimes are relatively simple actions that provide immediate gratification. Based 
on the characteristics of most crimes, Gottfredson and Hirschi argue that offend- 
ers have certain behavioral and attitudinal characteristics, including being impul- 
sive, insensitive, and giving little consideration to the future. Since they act on 
the spur of the moment, they give little thought to the consequences of their 
actions. The lack of forethought and other behavioral characteristics lead them to 
fail in school, have poor relationships with others, and engage in risky behaviors 
in which the long-term consequences outweigh the meager short-term benefits, 
such as smoking, drug use, and unprotected sex. Taken as a whole, Gottfredson 
and Hirschi (1990) argue that criminal behavior and other risky activities stem 
from one’s level of self-control, or the ability to constrain their own behavior 
through internal regulation. Adequate levels of self-control are primarily formed 
in childhood through proper parental child-rearing techniques, including mon- 
itoring, recognizing inappropriate behavior, and punishing that inappropriate 


489 


Cybercrime and Criminological Theories 


490 


behavior. Although the theory might seem simplistic, low self-control has been 
one of the more consistent correlates of crime (Pratt & Cullen, 2000) and has 


been consistently linked to a wide range of crime and deviance. 


The General Theory of Crime and Cybercrime 


The general theory of crime has frequently been applied to cybercrime since it 
is a general theory, meaning that it should be able to explain any form of crime. 
Self-control theorists argue that most forms of cybercrime are similar to that of 
traditional crime: they are simple in nature, can be performed with little to no 
skill, and will lead to long-term consequences greater than short-term benefits. 
Thus, the reason why people commit cybercrime is the same reason people 
steal, hit, rob, burglarize, and sell drugs — inadequate levels of self-control. 

Empirical research consistently supports the argument that low self-control 
is a significant predictor in understanding why people commit a wide variety of 
cybercrimes and cyber deviance, including, but not limited to: online harassment 
(Holt et al., 2012; Li et al., 2016; Lianos & McGrath, 2018), downloading online 
pornography (Buzzell et al., 2006), digital piracy (Higgins & Marcum, 2011; 
Udris, 2016), and online economic crimes (Moon et al., 2010). Individuals with 
low levels of self-control are more likely to harass, bully, or stalk others online 
due to both their inability to control their temper and their inclination to “solve” 
problems physically rather than mentally (Holt et al., 2012; Li et al., 2016). 

Individuals who are impulsive and focus on easy and simple immediate grat- 
ification are more likely to view and download online pornography (Buzzell 
et al., 2006; Holt et al., 2012). Digital piracy, whether involving software, 
music, or movies, is considered a simple task that requires minimal skill, pro- 
vides immediate gratification with almost no effort, and indicates little empathy 
for the owners of the intellectual property (Higgins & Marcum, 2011). In addi- 
tion, individuals with low self-control are more likely to commit identity theft 
(Moon et al., 2010), simply viewing online economic crime to be a simple and 
easy way to make quick cash to support immediate wants. 

There is some potential that more complicated forms of cybercrime, such 
as computer hacking, may not be accounted for through the general theory of 
crime. Self-control theorists would argue that computer hacking is simplistic and 
that hackers are just taking advantage of easy opportunities. They would also 
expect hackers to have some of the same characteristics of “traditional” crimi- 
nals, including: impulsivity; lacking diligence; not focusing on long-term goals; 
not being cognitive; self-centered and non-empathetic; and easily becoming 
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frustrated. Research provides some support for this idea, though there are some 
major inconsistencies as well (Bossler & Burruss, 2011). Both traditional criminals 
and computer hackers illustrate a lack of empathy for their victims (Turgeman- 
Goldschmidt, 2005). In addition, hackers often state that they engage in hacking 
activities because of the thrill or rush of the hack (Schell & Dodge, 2002). They 
also enjoy the adventure of exploring what new technology can do. 

Much of what is known about sophisticated hacks and malware develop- 
ment, however, suggest hackers have higher levels of self-control. They can 
typically be cognitive and verbal, as demonstrated by their strong commitment 
to and mastery of technology (Holt, 2007; Schell & Dodge, 2002). Many hack- 
ers are also enrolled in high school/college or employed, sometimes in the 
security field, all indicating some interest in long-term goals (Bachmann, 2010; 
Holt, 2007; Schell & Dodge, 2002). The potential disparity between hackers 
and those who engage in “hacks” makes it difficult to apply the characteristics 
of low self-control to hacking in general. Hackers that can be considered “script 
kiddies” seem to have the characteristics of the traditional criminals to which 
Gottfredson and Hirschi (1990) refer (Holt, 2007). They fulfill their immediate 
gratification by using simple techniques, like downloading others’ programs, 
shoulder surfing, brute-force attacks, and social engineering, that do not require 
any deep knowledge of technology or much time and effort (Holt & Kilger, 
2012). More advanced forms of computer hacking, such as the creation of mali- 
cious software, require a much greater amount of technical proficiency as well 
as time and energy to perfect the program — concepts incongruent with low 
self-control (Bossler & Burruss, 2011; Holt & Kilger, 2012). 

Empirical tests support the complex relationship between low self-control and 
computer hacking. Holt et al. (2012) found that low self-control predicted com- 
puter hacking, specifically accessing another’s computer account of files without 
his/her knowledge or permission, in a sample of youth. Holt and Kilger (2008), 
however, found that hackers “in the wild” had similar higher levels of self-control 
compared to a sample of college students in information security courses. Bossler 
and Burruss (2011) also found that in a college sample, youth who committed 
three types of hacking behaviors (guessing another person’s password into his/her 
computer account or files; accessing another’s computer account or files without 
his/her knowledge or permission to look at information; and adding, deleting, 
changing, or printing any information in another’s files without permission) and 
did not partake in the social learning process needed higher levels of self-control 


in order to be able to figure out how to hack. Individuals with lower levels of 


self-control were more likely to be involved in a social learning process which 
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connected them with peers who taught them methods of hacking and reinforced 
the value of these activities (Bossler & Burruss, 2011). Self-control had a larger 
influence on hacking via its indirect effect on hacking through the social learning 
process than its direct effect on hacking. In simpler terms, one can argue that 
lower levels of self-control were more related to computer hacking generally. 

Bossler and Burruss (2011) considered this “partial support” at best for the 
general theory of crime’s ability to explain computer hacking. The lack of gen- 
eral research on this issue, however, leads to a fundamental and basic question: 
is computer hacking a simple activity that can be explained by one important 
concept such as low self-control or is it a more complex activity that requires 
being involved in a long-term social learning process that requires peers teach- 
ing and reinforcing behaviors? The current body of research suggests that both 
answers are correct. Simple hacking techniques, such as brute-force attacks (see 
Chapter 3) require little skill and can be explained by both low self-control and 
social learning, though the influence of the social learning process on hacking is 
always stronger than the effect of low self-control. At the same time, more com- 
plex forms of hacking require advanced skills that are acquired through a social 
learning process and/or on their own due to their higher levels of self-control. 

In the end, there is no denying the importance of low self-control in under- 
standing the commission of cybercrime. These studies indicate that self-control 
may predict crime in the cyberworld as well as it does in the terrestrial world. 
In addition, research also shows that the influence of delinquent peer associa- 
tions is a stronger predictor of cybercrime than levels of self-control (Holt & 
Bossler, 2014, 2016). Thus, the general theory of crime and social learning must 
be discussed together in some respects rather than treated separately. 


For more information on how “easy”’ it is to hack a computer, go 
online to: https://motherboard.vice.com/en_us/article/famous-iphone- 


hacker-geohot-shows-us-how-easy-it-is-to-hack-a-computer 


Agnew’s General Strain Theory 
Overview 


Robert Agnew’s (1992, 2006) general strain theory is an individual-level the- 
ory developed as an expansion of Robert Merton’s (1938) classic strain theory. 
Merton’s original version of strain theory posited that being unable to achieve 
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the goal of economic achievement leads to a sense of frustration. To deal with 
this strain, individuals need to find other ways to satisfy their needs which could 
include criminal activity. In Agnew’s version, he discusses the role of frustra- 
tions leading to negative emotions, such as anger, frustration, and depression, 
which if not addressed appropriately, can lead individuals to engage in crime as 
a response. 

Agnew (1992) identified three primary categories of strains that can have a 
substantive impact on emotional states: (1) the threatened or actual failure to 
achieve positively valued goals; (2) threatened or actual removal of positively 
valued stimuli; and (3) threatened or actual presentation of noxious stimuli. In 
simpler terms, not achieving a goal (e.g., not landing the job that you wanted, 
failing a test), having something positive taken away (e.g., loss of a parent or 
loved one), or experiencing something bad (e.g., bullying, family conflict) can 
all lead to negative emotions such as frustration or anger. These central argu- 
ments have received sound empirical support since the theory’s inception. Life 
strains significantly influence involvement in delinquency (Agnew & White, 
1992; Broidy, 2001; Paternoster & Mazerolle, 1994), though this relationship 
is mediated by increased levels of negative emotions, particularly anger and 
frustration (Brezina, 1998; Mazerolle & Piquero, 1997). Those who experience 
greater negative emotions are more likely to respond to strain with delinquency 


and crime. 


General Strain Theory and Cybercrime 


Almost all scholars who have applied general strain theory to cybercrime have 
chosen to examine cyberbullying. This is sensible, given that the virtual envi- 
ronment allows individuals to immediately and easily vent frustration and anger 
at others in a detached way that does not require direct interaction with their 
victim (see Chapter 9). Thus, it would make sense for it to also apply well to 
explaining why some individuals choose to cyberbully others. Another reason 
is that in Agnew’s (2001) significant elaboration of general strain theory, he 
identified bullying as a strain that was particularly relevant for explaining delin- 
quency. He specifically provided four conditions that bullying satisfies to cause 
strain: (1) the victim will perceive the bullying as unjust; (2) it will be perceived 
as being high in magnitude or importance because of the vitality of peer rela- 
tionships for youth; (3) the bullying will be occurring away from traditional 


forms of social control such as parents or teachers; and (4) the victim will be 


exposed to aggressive behavior to model his or her own future behavior. 
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Box 13.2 Emotional, Mental, Behavioral, and 
Physical Effects of Cyberbullying 


The Real-Life Effects of Cyberbullying on Children 


https://www.verywellfamily.com/what-are-the-eftects-of-cyberbullying- 
460558 


Any type of bullying can have physical and psychological effects on a 
child. Anxiety, fear, depression, low self-esteem, behavioral issues, and 
academic struggles are just a few of the challenges kids may experience 
if they targets. Cyberbullying, however, may be particularly damaging. 


This article demonstrates the substantive emotional harms that children 
can experience as a result of cyberbullying. The impact of this experience 
can be wide-ranging and may be sufficient to lead an individual to feel 
anger and frustration over a long period of time, which ties in to Agnew’s 


general strain theory. 


The empirical research to date has supported this application of general strain 
theory (see Box 13.2). Young people, who are more likely to experience a wide 
variety of strains, including poor school performance, perceived unfair sanctions 
from teachers or parents for conduct, and the experience of negative life events, 
are more likely to participate in bullying behaviors on and offline (Lianos & 
McGrath, 2018; Moon et al., 2011; Paez, 2018; Patchin & Hinduja, 2011). 

Cyberbullying victimization, however, can also be viewed as a strain on 
its own. Studies have demonstrated that experiencing cyberbullying can lead 
youth to commit future delinquency, abuse substances, or self-harm (Baker & 
Pelfrey, 2016; Hay et al., 2010; Hinduja & Patchin, 2007; Kaakinen et al., 
2018; McCuddy & Esbensen, 2017). In fact, cyberbullying victimization is 
often found to have larger effects than physical bullying on future offending and 
substance use (Hay et al., 2010; McCuddy & Esbensen, 2017). Wright and Li 
(2013) found that both peer rejection and cyberbullying victimization predicted 
future online aggression even when controlling for past acts of cyber aggression. 
In addition, being cyberbullied led to more aggression when coupled with peer 
rejection (Wright & Li, 2013) and physical bullying (Wright & Li, 2012). 

Although general strain theory has shown itself to be a relevant theory for 
explaining traditional forms of crime as well as cyberbullying, the extent that it 
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will apply to other forms of cybercrime has yet to be fully examined (Holt & 
Bossler, 2016). For example, studies have generally not found evidence linking 
various types of strain with digital piracy (e.g., Brunton-Smith & McCarthy, 
2016). Although its propositions are not strongly connected to property-driven 
cybercrime, such as digital piracy, its tenets marry well with the often pred- 
atory nature of computer hacking. General strain theory provides interesting 
propositions on why individuals would commit computer hacks. For instance, 
there may be certain life events, whether being fired, failing in school, or los- 
ing a boyfriend or girlfriend, that may lead individuals to experience negative 
emotions. Experiencing anger, resentment, frustration, or possibly depression 
may all be pertinent triggers that could lead someone to lash out and attempt 
to harm others by attacking their systems (for examples, see Rege, 2013). More 
advanced examinations of general strain theory could consider whether involve- 
ment in political or ideologically driven hacks, like those of Anonymous could 
stem from individual perceptions of how technology and information is used 
in our society, coupled with anger or frustration, affects involvement in illegal 
computer intrusions to address their perception of the problem. Only future 
research can address how general strain theory can apply to forms of cybercrime 
other than cyberbullying. 


Techniques of Neutralization 
Overview 


Gresham Sykes and David Matza’s (1957) techniques of neutralization focus 
on how beliefs affect the process of deciding to commit a delinquent or crim- 
inal act. This theory assumes that most people hold conforming beliefs but 
may still engage in criminal behavior occasionally. Delinquents and criminals 
develop neutralizations prior to committing the act to justify why the behavior 
was acceptable and not in conflict with their general belief system. This allows 
them to drift between criminality and conformity without accepting a deviant 
or criminal identity (Matza, 1964). Unlike social learning theory, which would 
argue that the criminal offender had more beliefs supporting breaking the law 
than conforming beliefs, techniques of neutralization argue that the offender 
maintains a conventional belief system but can still justify deviant behavior. 
Sykes and Matza (1957) developed five basic techniques that allow individ- 


uals to break from conformity: (1) denial of responsibility: someone else, 


event, or situation will be directly responsible for the offense and should be 
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blamed; (2) denial of an injury: no one or thing will get hurt or damaged; 
(3) denial of a victim: there is no discernible victim (e.g., large corporation) or 
the “victim” deserved it; (4) condemnation of the condemners: those who 
would condemn their actions are hypocritical and doing so out of personal spite; 
and (5) appeal to higher loyalties: the offense is for the greater good of the 
group. One can summarize these five techniques with the following statements: 
(1) “It wasn’t my fault;” (2) “No big deal. Nothing really happened;” (3) “They 
deserved it;” (4) “You would have done the same thing;” and (5) “My friends 
needed my help.” 


Techniques of Neutralization and Cybercrime 


Scholars have applied the techniques of neutralization to a range of cybercrimes 
in order to understand how these behaviors can be justified by individuals who 
primarily live conforming lifestyles and have value systems congruent with that 
of traditional society. Most of the research focus has been on digital piracy, par- 
ticularly in college samples, arguing that students hold justifications that allow 
them to download music or media without believing themselves to be crimi- 
nals. Quantitative analyses of piracy have found weak (Hinduja, 2007) to mod- 
erate support (Higgins et al., 2008; Ingram & Hinduja, 2008; Marcum et al., 
2011; Morris & Higgins, 2009) for the acceptance of various beliefs that justify 
this behavior. Scholars who have interviewed digital pirates have found stronger 
support for techniques of neutralization (Holt & Copes, 2010), which may be 
due to the nature of interviews allowing the respondents to express their feelings 
clearly, rather than giving preselected responses to a given question. Holt and 
Copes (2010), for example, found that persistent pirates do not see themselves 
as part of some piracy subculture, but simply that they have beliefs that justify 
these actions. 

Ulsperger et al. (2010) performed one of the most intensive qualitative 
examinations of music piracy using a sample of youth born in “Generation Y” 
between 1982 and 1992. The authors found that the most prevalent technique 
supported among this group was denial of responsibility, at 36 percent of all 
sampled. Individuals in the sample placed the blame for their pirating behav- 
iors on the mere existence of the Internet, time constraints to go to the store, 
economic disadvantage, being underage and not being allowed to purchase the 
music, and the simplicity of downloading music. The second most common 
technique was condemning the condemners, with students focusing their atten- 
tion on the fact that it seems that everyone does it, governmental apathy in 
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addressing downloading music, and the record industry’s need to refocus its 
energies to something else. Fifteen percent denied that there was a victim and 
thought that the music industry was greedy, CDs were too expensive, and cor- 
porations were exploiting customers. Another 15 percent denied that an injury 
even occurred. They argued that there was no moral harm, music is not a tan- 
gible product, they were previewing it for later purchase, and that they were 
informally promoting the artist. Finally, they also appealed to higher loyalties 
than the law and the music industry, including their friendships, freedom, God’s 
gift of music, free trade, and environmental concerns. 

Scholars have also found that hackers use a variety of techniques as well to 
justify their actions, as documented in Chapter 3 (see also Box 13.3). Many 
hackers deny any injury occurred by arguing that either their computer exploits 
do not actually cause any harm (Gordon & Ma, 2003) or that gaining unau- 
thorized access to computer systems is not very serious in comparison to other 
illegal acts (Chua & Holt, 2016). Others blame victims for having inadequate 
computer skills or computer systems to prevent the victimization (Chua & Holt, 
2016; Jordan & Taylor, 1998; Turgeman-Goldschmidt, 2005). Hackers may 
also appeal to higher loyalties by stating that they are helping society by expos- 
ing corruption or providing knowledge freely to society (see Chapter 3; Chua 
& Holt, 2016). They may also argue that the victim had it coming or that large 
corporations are greedy and do not really need the additional profits that their 
hacking prevented. 


Box 13.3 Justifications for Hacking 


Hacking Can Be Justified 


http://debatewise.org/debates/3452-hacking-can-be-justified/ 


With the possibility of cyber warfare and concerns over hacks that 
result in huge amounts of information being stolen getting more wide- 
spread white hat hackers are becoming more necessary to ensure secu- 
rity. Can such attacks be justified? 


This article provides a robust and informed debate on the ways that hack- 
ers may be able to justify their involvement in serious attacks. The article 
provides good insights from both the perspective of hackers and of infra- 
structure owners and governments that may be harmed. 
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In Morris’s (2011) insightful study examining the justifications that hackers 
frequently use, he found that neutralizations help us understand password guess- 
ing and illegal access to a computer system specifically, but not for file manip- 
ulation. He also found that associating with delinquent peers was a significant 
predictor of computer hacking over and above individual beliefs and agreement 
with techniques of neutralization. He therefore summarized that the techniques 
of neutralization are complementary to other theories but not necessarily a stan- 
dalone theory. 

Finally, Copes and Vieraitis’s (2009) study on how traditional identity thieves 
use techniques of neutralization is insightful for understanding online economic 
crime, even if their sample did not include online identity thieves. The identity 
thieves stated that they would not engage in just any type of crime; they would not 
physically hurt others for money as this was perceived to be morally wrong. They 
most frequently used: (1) denial of injury; (2) denial of victim; (3) appeal to higher 
loyalties; and (4) denial of responsibility when justifying their actions. The most 
common justification used by the identity thieves is that their actions did not cause 
any real harm to actual individuals. Most loss was minor and victims resolved the 
problems with a few quick calls. If the thief acknowledged that a victim existed, 
they thought of large organizations that deserve victimization because of their 
unethical business practices. Thus, they not only denied these organizations victim 
status, but also “condemned the condemners” (Sykes & Matza, 1957). 

The identity thieves also justified their crimes by stating that they were trying 
to help others (i.e., appeal to higher loyalties) by obtaining money. Their efforts 
could provide a better life for their children or give confidential information or 
government documents to family members and friends. In these cases, they did 
not normally think their actions were ethical, but that the needs of their families 
and friends were more important in the decision-making process. Finally, many 
of the identity thieves who worked within organizations claimed that they only 
played a minimal role in the crime, received little reward, and their supervisors 
in the organizational hierarchy had greater responsibility for the offense. 

In summary, Sykes and Matza’s (1957) techniques of neutralization provides 
scholars with a framework to understand various forms of cybercrime, particu- 
larly digital piracy, computer hacking, and identity theft. Although quantita- 
tive analyses usually only provide modest support for the theory’s propositions, 
in-depth qualitative interviews provide much stronger evidence. As a result, 
neutralization theory research will likely continue in the future as scholars 
attempt to identify rationalizations that allow usually conforming individuals to 


drift temporarily into online criminal behavior. 
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Deterrence Theory 
Overview 


The Classical school of criminology, which dates back to the mid-18th cen- 
tury, was the product of the intellectual beliefs of the Enlightenment era. They 
viewed humans as hedonistic, rational, and calculating. As a result, crime was the 
result of free will and rational decision-making by individuals. People weighed 
the benefits and costs of a possible decision and chose whichever increased 
pleasure and decreased pain. They were not compelled to do so by any internal 
(e.g., biological) or external (e.g., demons) forces beyond their control. In order 
to minimize the possibility of crime, society needed structures to convince indi- 
viduals that crime was neither a profitable nor pleasurable choice. To do this, 
governments needed to clearly codify laws on what was inappropriate, set pun- 
ishments that were equal to the pleasure of the crime so no incentive would 
exist, apprehend criminals when they broke the law, and punish them swiftly 
(Paternoster, 1987). 

The principles of deterrence theory, generated by Cesare Beccaria, are a 
direct reflection of the ideas of the Classical school. This perspective argues that 
humans will be deterred from choosing to commit crime if they believe that 
punishments will be certain, swift, and proportionately severe. The certainty 
of the punishment refers to how likely it is that the individual will be caught 
and punished for the offense. Swiftness, or celerity, of the punishment refers to 
how quickly the punishment follows the criminal act, not the apprehension of 
the offender. Finally, the severity of the punishment involves the intensity of 
the punishment relative to the harm caused by the crime. 

Scholarly research has shown modest support for deterrence theory proposi- 
tions using a wide variety of methods, including retrospective accounts, percep- 
tual surveys, and longitudinal assessments (Paternoster, 1987; Pratt et al., 2006; 
Yu & Liska, 1993). Studies have shown that certainty, not severity, is the most 
important deterrence component. Increasing the perceived probability of get- 
ting caught is more important than increasing the severity of the punishments 


(e.g., More years in prisons, larger fines) associated with the crime. 


Deterrence and Cybercrime 


Based on Chapters 2—12 of this text, it is clear that most Western nations based 
their government structures and criminal justice systems on the tenets of the 


Classical school. Each chapter has ended with a discussion of the legislation 
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that nations have passed to criminalize certain computer-related behaviors, the 
specific punishments associated with each offense, and the agencies that enforce 
violations of these laws. These structures should provide an easily communi- 
cated framework to deter would-be cybercriminals based on the certainty of 
getting caught and receiving appropriate punishments. 

Scholars have generally expressed concerns about the ability of governments 
to deter cybercrime through the threat and application of formal sanctions if law 
enforcement or government agencies cannot attribute a cybercrime or cyberat- 
tack to a certain person, organization, or nation (Brenner, 2007). Many cyber 
offenders may feel immune to the threats of formal sanctions as a result of the 
anonymity of the Internet. Any concerns about the seriousness of punishments 
is moot if offenders believe that the certainty of apprehension of many cyber- 
crimes is low (Holt & Bossler, 2016). 

Researchers have attempted to test if formal sanctions deter various forms of 
cybercrime, primarily using college samples. In a recent study, Bossler (2021) 
found that college students who perceived formal sanctions to be more certain 
and severe were less likely to commit digital piracy, commit minor forms of 
computer hacking, and online harass others; perceptions of formal sanctions, 
however, were not significantly related to any category of cybercrime when 
also examining perceptions of informal sanctions (i.e., punishments from fam- 
ily and friends) and deviant peer associations. Instead, associating with deviant 
peers and perceptions of informal sanctions were the two strongest predictors 
of cybercrime. 

Other scholars have also examined which specific elements of deterrence 
appear to have an influence on behavior. Higgins et al. (2005) found that 
certainty of punishment, not severity, reduced the likelihood of piracy, sup- 
porting deterrence research on traditional criminal offending. Wolfe et al. 
(2008) examined whether intent to commit digital piracy was influenced 
by self-imposed guilt, the perception of whether family and friends might 
find out about the piracy, and the fear of getting a virus through pirated 
materials. Their results showed that guilt, an informal source of punishment, 
was one of the strongest factors preventing individuals from downloading 
music illegally. The fear of a malware infection was not, however, signifi- 
cant. Thus, it may be that informal levels of social control, such as guilt and 
embarrassment, might prove more useful in decreasing digital piracy than 
legal actions. 

Scholars have also examined whether computer hackers can be deterred. In 
a sample of college students, Skinner and Fream (1997) found that the severity 
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of punishment associated with computer intrusions decreased their occurrence. 
The certainty of detection, by either administrators or students, was not signifi- 
cantly related to hacking behavior. 

Extending this line of inquiry into the deterrability of hackers, Maimon and 
associates (2014) conducted an experiment to study whether displayed warning 
banners affected the progression, frequency, and duration of computer intrusions 
or trespassing. Using a set of live computers connected to the Internet that are 
designed to be attacked, called honeypots, the authors found that the warning 
banners did not affect immediate termination of computer intrusion. Individ- 
uals who saw the warning banner were no more likely to leave within the first 
5 seconds than those who were not presented with the banner. In addition, the 
warning banners did not reduce the volume of repeated trespassing incidents. 
The warning banners did, however, shorten the duration of the trespassing inci- 
dents (Maimon et al., 2014). In a similar study, Wilson et al. (2015) found that 
the presence of surveillance banners reduced the severity of computer intrusion 
attacks, measured by whether commands were entered into the system, but only 
in longer first system trespassing events. Howell et al. (2017) presented either 
no warning banner or one of three types of warning banners — altruistic moral 
persuasion, legalistic, and ambiguous — to computer intruders and found that 
the difference in warning banners was not related to the keystrokes entered by 
the intruder to avoid detection. Thus, researchers have found modest support at 
best that traditional deterrence mechanisms can deter hackers from trespassing 
into university network systems. 

Since the Internet allows individuals to attack both end users and govern- 
ment targets, researchers have presented arguments as to how deterrence can 
be used to prevent cyberattacks or cyberterrorism (e.g., Blank, 2001; Brenner, 
2007; Geers, 2012). For example, Guitton (2012) argued that actor attribution 
(determining the source of an attack) can act as a deterrent, but only when the 
individual had a good knowledge of the attribution process, acted rationally, and 
was concermed about the costs of punishment. Attribution will not, however, 
be effective for irrational actors who do not fear punishments, possibly because 
the praise received from a successful cyberattack requiring skill is considered 
more important to these individuals. If deterrence only appears to be influential 
for rational actors, how should nation-states protect themselves from hackers 
who are more concerned about the perceived benefits of the cyberattack and 
to make a political statement regardless of the costs to him or his country? This 


assumes that a nation can actually identify the source of an intrusion in the first 


place, which is not always possible (Brenner, 2007). 
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Clearly, more research needs to be conducted on the benefits of a deter- 
rence framework to understand various forms of cybercrime. In some instances, 
the lack of deterrence research regarding cybercrimes appears to have to do 
more with its testability and measurement issues than the logic of its theoretical 
arguments. Thus, future researchers might move away from conducting surveys 
which have had difficulty assessing the theory to more experimental designs. 


Applying Criminological Theories 
to Cybercrime Victimization 


Criminologists have not only used traditional criminological theories to better 
understand why some individuals are more likely to commit various forms of 
cybercrime, but also which factors place individuals at greater risk for cybercrime 
victimization. The two most common theories used to assess the likelihood 
of cybercrime victimization are Lawrence Cohen and Marcus Felson’s (1979) 
routine activity theory and Michael Gottfredson and Travis Hirschi’s (1990) 
general theory of crime. 


Routine Activity Theory 
Overview 


Cohen and Felson (1979) argued that direct-contact predatory victimization 
occurs with the convergence in both space and time of three primary compo- 
nents: (1) a motivated offender; (2) a suitable target; and (3) the absence 
of a capable guardian. If one component is missing, crime will not occur 
making this an ideal theory to examine how offender and victim interactions 
may be artificially affected to reduce crime. Motivated offenders constitute any 
individuals or groups who have both the inclination and ability to commit 
crime. Cohen and Felson assumed that there would always be an ample supply 
of motivated offenders. Thus, they were more interested in how social (e.g., 
more women joining the work force) and technological (e.g., lighter electron- 
ics) changes affected changes in national crime rates. 

A target, whether referring to a person or object, is viewed as suitable based 
on how attractive it is to the offender on a wide range of factors, including 
monetary value, ease of access, and other intrinsic values. Finally, capable guard- 
ians exist to protect the target from harm. Guardianship can be expressed in 
various ways, including physical (e.g., security cameras, lighting, alarm systems, 
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locks), social (e.g., friends), and personal (e.g., knowing martial arts, carrying 
pepper spray) forms. 

Scholars who use routine activity theory are particularly interested in how 
daily behavioral routines increase a target’s proximity to motivated offenders 
while also affecting both capable guardianship and target suitability. Under- 
standing routine activities is important in that they normally separate individuals 
from the safety of their homes, people they trust, and their possessions. Scholars 
have found this theory to be very successful in predicting a wide variety of both 
property crime victimization, such as burglary (Cohen & Felson, 1979; Couple 
& Blake, 2006) and larceny (Mustaine & Tewksbury, 1998), as well as violence, 
such as physical assault (Stewart et al., 2004) and robbery (Spano & Nagy, 2005). 


Routine Activity Theory and Cybercrime Victimization 


Routine activity theory was identified by early cybercrime scholarship as a key 
theory to better understand cybercrime (Grabosky & Smith, 2001; Newman 
& Clarke, 2003). Scholars have argued that each component of this theory — 
motivated offenders, suitable targets, and the absence of a capable guardian — are 
present in cyberspace. As the previous chapters have indicated, there is an abun- 
dance of individuals who have the inclination and ability to harass others, down- 
load child sexual abuse materials, hack into computers, or try to commit online 
fraud. In keeping with the spirit of routine activity theory, cybercrime scholars 
do not assess motives but rather focus on the factors affecting victimization risk. 

The suitability or attractiveness of a target in cyberspace varies substantially 
based on the interests of the offender. The target may be a computer system or 
network, sensitive data, or an individual. For the crime of computer intrusion, 
a hacker may want to compromise a system because they want access to specific 
information or files. On the other hand, they may simply want to see whether 
the system can be penetrated (Holt, 2007). In incidents of harassment, an indi- 
vidual may be targeted for various reasons, whether because of a perceived 
slight, a failed relationship, or because of perceived weakness and social isolation 
(see Chapter 9 for detail). 

Finally, there are guardians in cyberspace equivalent to the ones we use to 
protect ourselves in the physical world. Computers have various forms of phys- 
ical guardianship, equivalent to locking our houses, such as antivirus software 
and password-protected screens. Antivirus and similar programs are designed 


expressly to reduce harm from hackers and other cybercriminals who might 


want access to your sensitive information (see Chapter 4). Social guardianship 
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Box 13.4 Self-Protection While Online 


Security Tip (ST06-003): Staying Safe on Social 
Network Sites 


www.us-cert.gov/ncas/tips/ST06-003 


While the majority of people using these sites do not pose a threat, 
malicious people may be drawn to them because of the accessibility 
and amount of personal information that’s available. The more infor- 
mation malicious people have about you, the easier it is for them to 
take advantage of you. 


This security bulletin from the US-CERT provides practical information 
on the ways that individuals can protect themselves and their personal 
information in social media sites like Facebook. The article also demon- 


strates the inherent benefits of self-protection in online environments. 


can play a large role in the cyberworld as well since our friends can protect 
us from harassment and other forms of victimization or they can be the ones 
that harass us, unintentionally send us corrupted files via email, or teach risky 
activities such as how to commit digital piracy. Finally, personal guardianship 
in cyberspace could include developing an understanding of computer technol- 
ogy, updating software, changing passwords, and not providing sensitive per- 
sonal information (see Box 13.4 for example). 

Although the components of routine activity theory easily apply to all forms 
of cybercrime victimization, Majid Yar (2005) expressed concern regarding the 


applicability of the theory as a whole. He notes that routine activity theory: 


requires that targets, offenders and guardians be located in particular places, 
that measurable relations of spatial proximity and distance pertain between 
those targets and potential offenders, and that social activities be temporally 
ordered according to rhythms such that each of these agents is either typi- 
cally present or absent at particular times. Consequently, the transposability 
of RAT to virtual environments requires that cyberspace exhibit a spatio- 
temporal ontology [emphasis in original] congruent with that of the “physical 
world,” i.e. that place, proximity, distance and temporal order be identifiable 
features of cyberspace. (p. 414) 
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In essence, cyberspace does not meet these criteria because virtual environ- 
ments are spatially and temporally disconnected, disorganized, active at all 
times, and web pages are born and die in relatively short amounts of time. 
Most scholars, however, view the interaction of the offender and victim in 
cyberspace through the web or email as analogous to physical interactions 
(Bossler & Holt, 2009). Reyns et al. (2011) addressed this concern theoretically 
with their cyberlifestyle-routine activities theory which connects motivated 
offenders and victims through networked systems. The network between vic- 
tim and offender allows for both a conduit to exist in cyberspace between 
the two groups and an eventual overlap in time for the interaction to occur. 
Other scholars have commented that Yar’s (2005) critique may be applicable 
to offenses committed on certain websites, but that computer networks associ- 
ated with universities, government agencies, and corporations are fairly stable 
and that offenses committed against these networks (e.g., computer intrusions) 
may be more predictable by online routine behaviors of the networks’ users 
(Maimon et al., 2013). 

A large body of scholarship has developed which empirically tests the appli- 
cability of routine activity theory to cybercrime (Bossler, 2020; Holt & Bossler, 
2016). The findings are quite mixed as they vary based on cybercrime type, 
measurements, and samples. Much of the research examining routine activities 
theory and cybercrime victimization has focused on its ability to predict online 
harassment and cyberstalking victimization. The findings provide limited evi- 
dence that general routine technology use affects risk of online harassment or 
cyberstalking victimization, including spending time in chat rooms, social net- 
working sites, and email (e.g., Bossler et al., 2012; Hinduja & Patchin, 2009; 
Holt & Bossler, 2009; Moore et al., 2010; Ngo & Paternoster, 2011; Reyns 
et al., 2011; Ybarra et al., 2007; see Leukfeldt & Yar, 2016 and Wick et al., 
2017 for exceptions). Using a large dataset in the Netherlands, Leukfeldt and 
Yar (2016), however, found that direct forms of communication, such as email, 
MSN and Skype, and Tweeting, increased the odds of interpersonal cyber vic- 
timization as it increased the victim’s online visibility. Wick et al. (2017) also 
found that disclosing personal information online, including both information 
and pictures, was related with a higher likelihood of cyber harassment victimi- 
zation by romantic partners. 

Specific online behaviors have been found to be related to malicious soft- 
ware infections, but the findings vary by sampling. Scholars generally do not 


find online routine behaviors, such as online banking or shopping, emailing, 


or spending time on social media to be related to malware victimization in 
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college samples (Bossler & Holt, 2009; Holt & Bossler, 2013). They have, 
however, found significant relationships in non-college samples. For example, 
Bergemann et al. (2018) found that computer usage frequency and the number 
of Internet devices owned were related to malware victimization in a German 
adult sample. Respondents were able to reduce their odds of victimization by 
avoiding certain behaviors, such as using suspicious Internet links and public 
hotpots, downloading software, and posting private information online. Addi- 
tionally, Reyns (2015) found that booking online reservations, online pur- 
chasing, and social networking were all related to malware victimization in a 
Canadian adult sample. 

The importance of online routine behaviors in understanding online eco- 
nomic crime victimization is also dependent on the type of victimization 
examined. In Ngo and Paternoster’s (2011) examination of phishing victimi- 
zation in a college sample, they found little evidence to support the argument 
that knowing respondent online routine behaviors would help predict who 
is more likely to be a victim of phishing. The only significant behavior that 
increased victimization was whether the respondent committed various forms 
of computer deviance. They did not find that measures of exposure to moti- 
vated offenders (e.g., spending more time on the Internet, writing emails, 
being in chat rooms), target suitability (e.g., communicating with strangers, 
providing personal information, demographics), and capable guardianship 
(e.g., security software, computer skill) were related to phishing victimiza- 
tion. Reyns (2015), however, found in a Canadian sample that several online 
behaviors such as online banking, booking reservations, online purchasing, and 
social networking were related with phishing victimization. In Dutch samples, 
buying products online and participating in direct communication (e.g., email) 
and web forums increased the likelihood of being a victim of online fraud 
(Leukfeldt & Yar, 2016; van Wilsem, 2013). Chen et al. (2017) also found in 
a sample of Internet users that being a victim of an Internet scam was related 
with online shopping, opening emails from unknown sources, and disclos- 
ing information online. These behaviors both increase victim visibility online 
and make them more accessible by motivated offenders, which differentially 
increases risk of victimization. 

In another recent study examining how online routines affected identity 
theft victimization, Reyns and Henson (2016) used data from the 2009 Cana- 
dian General Social Survey and found that individuals that do their banking 
and make purchases online were more likely to be victims of identity theft. 
Individuals who posted personal information on social media sites and other 
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online spaces were also more likely to be victimized. Importantly, those who 
had been targeted by hackers or responded to a phishing email were also much 
more likely to be victimized, suggesting identity theft may be an antecedent 
experience of primary victimization via certain forms of cybercrime (Reyns & 
Henson, 2016). It also appears that racial minorities and those individuals with a 
higher income are viewed as more suitable targets or participate in online activ- 
ities that increase their chances of identity theft victimization. 

Individual involvement in various forms of cybercrime increases the risk of 
cyber victimization as well. Specifically, engaging in bullying, harassment, com- 
puter hacking, digital piracy, and other forms of cybercrime appears to increase 
the risk associated with harassment and bullying (Hinduja & Patchin, 2009; 
Holt & Bossler, 2009; Holt et al., 2012; Ngo & Paternoster, 2011; Reyns et al., 
2011; Ybarra et al., 2007). In addition, committing cyber deviance may lead to 
increased odds of becoming a victim of phishing (Ngo & Paternoster, 2011), 
malware infection (Holt & Bossler, 2013), and online financial crime (Kerstens 
& Jansen, 2016). The online deviant activities of a person’s friends also increase 
the risk of victimization as this directly increases exposure to motivated offend- 
ers while also decreasing guardianship (Bossler et al., 2012; Hinduja & Patchin, 
2008; Holt & Bossler, 2009; Reyns et al., 2011). 

The use of protective software programs, such as parental filtering software 
and antivirus programs, appears to do little to reduce the risk of online harass- 
ment victimization (Holt & Bossler, 2009; Leukfeldt & Yar, 2016; Marcum, 
2010; Navarro et al., 2017; Ngo & Paternoster, 2011). The findings on the 
ability of antivirus programs to decrease malware victimization and online eco- 
nomic victimization are also mixed. Various studies have found strong support 
that antivirus programs decrease these forms of victimization (e.g., Bergemann 
et al., 2018; Williams, 2016). For example, Williams (2016) found that antivirus 
software and secure browsing both decreased the odds of online theft victim- 
ization in the Eurobarometer data. Other studies, however, have found that 
using antivirus software is either not related with phishing victimization (e.g., 
Leukfeldt, 2014) or that it was related with higher levels of malicious software 
infection (e.g., Reyns, 2015). This second finding is presumably because indi- 
viduals with antivirus software programs are more likely to know whether their 
computer has become infected or that they possibly updated and installed their 
software after victimization. 

In a study that specifically examined online forms of identity theft, Holt and 


Turner (2012) examined the protective factors that made certain individuals 


more resilient in high-risk online environments where sensitive information 
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must be transmitted to complete an economic transaction or communicate gen- 
erally. Within their sample of students, faculty, and staff at a large university, 
they found that only 2.3 percent of individuals who reported no risk factors 
(defined in their study as the commission or victimization of different forms 
of online deviance) had someone obtain their financial information electroni- 
cally without their knowledge or permission within the last 12 months. Almost 
15 percent of individuals who reported at least five of these risk factors reported 
being victims of online identity theft. Within this group of high-risk individuals, 
they found that that individuals who updated their protective software, such as 
antivirus, Spybot, and ad-aware, were less likely to be victimized. They did not 
find, however, that having firewall protection or higher levels of computer skills 
decreased victimization within this group. 

Individual technical or computer skills, a form of personal guardianship, 
has generally not been found to be related to lower forms of online harassment 
victimization (Bossler et al., 2012; Holt & Bossler, 2009), phishing (Leukfeldt, 
2014), data loss from malware infection (Bossler & Holt, 2009), or identity 
theft (Holt & Turner, 2012). There are exceptions. For example, Graham 
and Triplett (2017) found in a nationally representative sample that individ- 
uals with more digital literacy were less likely to respond to online phishing 
scams. In some instances, studies have found that those with greater computer 
proficiency may have an increased risk of victimization (Bocij & McFarlane, 
2002; Hinduja & Patchin, 2008; Holt & Bossler, 2009). This may be that 
those with higher computer skills are better able to recognize when they have 
been victimized. 

In summary, routine activity theory has shown itself to be the most empiri- 
cally sound theory in explaining both traditional and cyber victimization. 


General Theory of Crime and Victimization 
Overview 


Another theory used by scholars to account for cybercrime victimization is 
whether the individual characteristics of the victim somehow influenced the 
odds of their victimization. The most common individual theoretical trait 
that researchers have examined in relation to victimization is the individual’s 
level of self-control. Although Gottfredson and Hirschi (1990) consider 
self-control theory to be a general theory of crime, and not technically a theory 
of victimization, they argue that the high correlation between offending and 
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victimization is because both are a result of inadequate levels of self-control 
(pp. 92-94). 

The characteristics of low self-control (i.e., short-sighted, insensitive, impa- 
tient, risk-taking) that increase the odds of offending also theoretically increase 
the likelihood of victimization through various mechanisms (Schreck, 1999). 
Individuals with lower levels of self-control do not accurately consider and 
perceive the consequences of their actions, both increasing the probability of 
crime and victimization. They put themselves in risky situations and act inap- 
propriately, increasing opportunities to offend, while at the same time placing 
themselves in close proximity to offenders who may prey upon them. 

Research over the last decade has shown that Gottfredson and Hirschi’s con- 
cept of low self-control is a consistent but modest predictor of why certain indi- 
viduals are more likely to be victimized (Pratt et al., 2014). Its effect, however, 
is stronger for noncontact forms of victimization (e.g., fraud) than direct contact 
victimization and decreases when controlling for risky behaviors that could pos- 
sibly mediate the relationship (Pratt et al., 2014). 


Low Self-Control and Cybercrime Victimization 


The link between low self-control and traditional victimization appears to 
apply to cybercrime victimization in a variety of ways. First, individuals with 
low self-control favor short-term immediate gratification with little regard to 
long-term consequences (Gottfredson & Hirschi, 1990). Their enjoyment of 
risk-taking and thrill-seeking decreases the safety of themselves and their prop- 
erty, increasing vulnerability to victimization (Schreck, 1999). In online envi- 
ronments, individuals with low self-control engage in risky behaviors, which 
opens them up to malicious software infection and other forms of victimization 
(Holt & Bossler, 2009). They may also interact with strangers in chat rooms and 
other virtual environments and provide them with sensitive information that 
could lead to online harassment or cyberstalking. 

Second, individuals with low self-control have little empathy for others. This 
makes it difficult for them to relate to others, create stronger social ties, and 
understand other people’s intentions (Gottfredson & Hirschi, 1990; Schreck, 
1999), all increasing their vulnerability. If individuals have challenges interacting 
with others face to face, their problems are probably compounded in a virtual 
environment. Third, their low tolerance means they are more likely to want 


to resolve issues physically rather than mentally and may get easily angered or 


frustrated. Individuals who may get easily frustrated or provoked when dealing 
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with others online may simply escalate situations and increase the changes of 
harassment, bullying, or threatening online interactions. 

Finally, individuals with low tolerance may increase their vulnerability when 
they become easily frustrated with complex security devices and stop using 
them or not use them correctly (Schreck, 1999). Unfortunately, computer 
security programs can be quite complex and are not necessarily intuitive. They 
are, however, necessary to protect a computer, its data, and the security of the 
user. In addition, computer owners must be diligent and regularly update pro- 
tective software. Individuals with low self-control are generally not diligent and 
will not consistently make the effort to protect their computer and themselves. 

Empirical research generally finds that self-control is associated with 
cybercrime victimization. The type of cybercrime victimization, however, is 
an important factor in assessing the size of the relationship (Bossler & Holt, 
2010; Reyns et al., 2019). Low self-control might help understand cybercrime 
victimization where the person is the target (e.g., having password changed; 
harassment) and not computers in general (e.g., large phishing attempts; Bossler 
& Holt, 2010; Holt et al., 2016; Pratt et al., 2014; Reyns et al., 2019). When the 
effect of low self-control is statistically significant, its impact is small. 

For example, Bossler and Holt (2010) examined the effect of low self-control 
on five cybercrime victimization types in a college sample. They found that 
having lower levels of self-control increased the risk of one’s passwords being 
obtained to access computer accounts and files, someone adding, deleting, or 
changing information in one’s computer files without the owner’s knowledge 
or permission, and being harassed online. Other studies have also found low 
self-control to be a significant, albeit not the most important, predictor of both 
sexual and nonsexual online harassment victimization and cyberstalking (Fox 
et al., 2016; Holt et al., 2016; Ngo & Paternoster, 2011). 

The literature on the relationship between low self-control and economic 
crime victimization is mixed as it depends on the type of victimization studied 
and the sample utilized. Low self-control has not been found to be signifi- 
cantly related to electronic credit card theft (Bossler & Holt, 2010), identity 
theft (Reyns et al., 2019), and phishing attacks (Ngo & Paternoster, 2011) in 
college samples. Scholars using Dutch data sets, however, have found that there 
is significant overlap between the commission of online financial cybercrimes 
and cyber victimization, including the role that low self-control has in increas- 
ing the odds of various forms of online fraud victimization, including consumer 
fraud, auction fraud, virtual theft, and identity fraud (Kerstens & Jansen, 2016; 
van Wilsem, 2013). 
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In summary, Gottfredson and Hirschi’s (1990) general theory of crime pro- 
vides an interesting perspective of how an individual’s characteristics increase 
the risk of victimization. The inability of individuals with low self-control to 
prevent themselves from committing acts that have long-term negative con- 
sequences may also increase their odds of victimization by placing them in 
risky situations with the wrong people (Schreck, 1999). Although the major 
arguments logically apply to cybercrime victimization as well, empirical studies 
show that low self-control is a weak predictor of person-based cyber victimiza- 
tion types, such as online harassment and hacking victimization. 

It may be that this relationship stems from the fact that individuals with low 
self-control are more likely to associate with delinquent peers who are more 
likely to victimize those who are in close proximity to themselves. For instance, 
Bossler and Holt (2010) found that low self-control’s effect on hacking and har- 
assment victimization became nonsignificant when controlling for peer offend- 
ing. This meant that low self-control did not directly cause these victimizations 
because of impulsivity or carelessness, but that low self-control increased their 
likelihood of associating with delinquent peers who were probably more likely 
to victimize the respondent. Thus, this relationship should be further explored 
to refine our understanding of the relationship between self-control and victim- 


ization generally. 


Need for New Cyberspace Theories? 
Space Transition Theory 


Though there are a number of traditional criminological theories that have 
been applied to cybercrimes, a few researchers have called for new theoretical 
paradigms that may more accurately account for these offenses. For instance, K. 
Jaishankar (2008) proposed a theory he called space transition theory, which 
argues that people behave differently while online than they otherwise would in 
physical space. In turn, individual behavioral patterns are different online than 
they are in physical space. This theory has seven basic postulates about both 
human behavior and offending generally: 


1 Persons with repressed criminal behavior (in the physical space) have a pro- 
pensity to commit crime in cyberspace, which, otherwise they would not 
commit in physical space, due to their status and position. 


2 Identity flexibility, dissociative anonymity, and lack of deterrence factor in 


that cyberspace provide the offenders the choice to commit cybercrime. 
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3 Criminal behavior of offenders in cyberspace is likely to be imported to phys- 
ical space; that in physical space may be exported to cyberspace as well. 

4 Intermittent ventures of offenders in cyberspace and the dynamic spatio- 
temporal nature of cyberspace provide the chance to escape. 


on 


(a) Strangers are likely to unite together in cyberspace to commit crime in 

physical space; and (b) associates in physical space are likely to unite to com- 

mit crime in cyberspace. 

6 Persons from closed society are more likely to commit crimes in cyberspace 
than persons from open society. 

7 The conflict of norms and values of physical space with the norms and values 


of cyberspace may lead to cybercrimes. 


The utility of this theory has yet to be identified as few have empirically inves- 
tigated these hypothesized relationships (see Kethineni et al., 2018 for an 
example). Some of the concepts presented in the theory are variants of concepts 
from previously discussed theories, such as social learning theory. Other prop- 
ositions, however, appear incongruent with some of the information presented 
throughout this book. For instance, there is clear evidence that data thieves may 
not know one another offline but regularly interact in virtual spaces to buy and 
sell personal information (see Chapter 6). Furthermore, the rates of participa- 
tion in cybercrimes like cyberbullying are somewhat consistent across place, 
regardless of the political landscape of the nation (see Chapter 9). Thus, it is 
possible that his insights apply better to some forms of cybercrime than others. 
Regardless, space transition theory is one of the few theories created specifically 
to address cybercrime. Only future empirical testing of his theory will be able 
to assess these propositions. In addition, his theory may inspire other scholars to 
create cybercrime-specific theories. 


Digital Drift 


Another promising approach is to modify traditional criminological theories 
to better fit the realities of cyberspace. Goldsmith and Brewer (2015) recently 
created the concept of digital drift based on Matza’s (1964, 1969) drift the- 
ory, which argues that youth are not completely socialized into a delinquent 
subculture but rather are exposed to delinquent youth and belief systems that 
help neutralize or justify delinquent behavior. Goldsmith and Brewer argue 
that technology creates a wide variety of opportunities for individuals to both 


engage and disengage from different criminal communities on and offline. 
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The anonymity and escapism provided by the Internet allows individuals to 
be exposed to different communities that are disconnected from their actual 
identity and act in ways online that they would not have otherwise in the tra- 
ditional world. 

The Internet provides two conditions necessary for digital drift to occur 
according to Goldsmith and Brewer: affinity and affiliation. Affinity refers to the 
various online content that may appear attractive and exciting to youth (e.g., 
pornography, hacking tips, free music), but exposes them to criminal behaviors 
and justifications that suggest that these online behaviors are socially acceptable. 
Affiliation refers to the means in which youth are able to interact and deepen 
their relationships with online deviants and offenders. Accessing and spending 
time with new online social networks expose youth to individuals who may 
provide justifications, neutralizations, and reassurances that the wrongdoing is 
“normal.” Youth can therefore drift back and forth between conformity and 
deviance depending on whether they are online or not as well as with what 
specific social network they are associating. 

Digital drift would appear to be a useful framework to understand how indi- 
viduals, particularly youth, become exposed and commit common forms of 
cybercrime and cyber deviance by exploring online communities. As discussed 
in various chapters of the book, individuals can learn techniques and justifica- 
tions to hack (Chapter 3), commit digital piracy (Chapter 5), download pornog- 
raphy (Chapter 7), and bully (Chapter 9) via exchanges with online networks. 
Goldsmith and Brewer (2015), however, apply their theoretical adaptation to 
explain acts of lone-wolf terrorism and pedophilia. In the end, Goldsmith and 
Brewer have provided an interesting modified theory which can be applied to 
multiple forms of cybercrime, but a great deal more of theoretical discussion and 
empirical research is necessary by the academic community. 

Finally, another possible step for criminologists to better understand cyber- 
crime offending and victimization is to look at scholarly work from other fields, 
including, but not limited to: computer science, information technology, psy- 
chology, and political science. Criminologists primarily examine the behavioral 
aspects of cybercrime offending and victimization from a sociological perspec- 
tive. They do not have the expertise and backgrounds needed to properly exam- 
ine how the brain operates, how global dynamics influence individual behavior, 
and how to improve computer security safeguards. Drawing from the expertise 
of these relevant fields could greatly improve our understanding of cybercrime 


and identify alternative strategies to address involvement in cybercrime offenses 


(see Box 13.5 for examples of psychological theories of cybercrime). 
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Box 13.5 Psychological Theories of Cybercrime 


Needs analysis surveys for computer crime investigations indicated the 
ability to obtain reliable and valid offender profiles were pressing issues in 
law enforcement (Rogers & Seigfried, 2004). In addition, Loch and Con- 
ger (1996) concluded, “individual characteristics all appear to be important 
in determining ethical computing decisions” (p. 82). Thus, research should 
not only focus on information assurance and security, but it should also 
focus on the personality and cognitive characteristics associated with com- 
puter criminality. This box briefly summarizes three psychological theories 
which have been applied to various cyberdeviance: theory of moral devel- 


opment, theory of planned behavior, and theory of reciprocal determinism. 


Theory of Moral Development (Kohlberg, 1976) 


According to Kohlberg (1976), moral reasoning transforms and devel- 
ops through three levels, with two stages within each level. In the pre- 
conventional level (I), morality is “external,” meaning children view a 
behavior as “good” or “bad” due to perceived rewards and consequences. 
In Stage 1, children engage in behavior because of hedonistic rewards 
and praise that follow and refrain from engaging in certain behaviors to 
avoid possible negative consequences. In Stage 2, the child continues to 
make decisions that satisfy their own needs while occasionally satisfying 
the needs of others. A sense of reciprocity and the motto, “you scratch my 
back, and I will scratch yours” begins. In the conventional level (II), the 
individual begins to recognize and be influenced by social order. In order 
to move into Stage 3, the child must be able to recognize the viewpoints 
of others. In Stage 3, moral behavior is reflected in the labels assigned 
to the child by his/her family, peers, and other social groups. The child 
recognizes that there are good and bad behaviors and it is important to 
be viewed by others as either a “good girl or good boy.” Stage 4 refers 
to the “law and order” orientation, meaning the child feels bound by the 
need to follow rules in order to maintain social order. Acting morally 
means conforming to authoritative figures and obeying social rules. In the 
final level, post-conventional (II), morality is ultimately internalized, and 
the individual begins to define morality apart from formal (laws, social 


rules) and informal social controls (peer groups, family). In Stage 5, the 
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individual recognizes the welfare of others and the fact that moral decisions 
are made for “the greater good.” There is a utilitarian approach to moral 
decision-making, meaning decisions should be made to maximize hap- 
piness and reduce suffering. Finally, Stage 6 is the highest stage of moral 
development known as the “universal ethical-principle orientation.” In 
this stage, an individual has abstract moral principles guided by a sense of 
basic human rights, objectivity, and equal respect for all. 

Research has compared the stages of moral development with ethical 
computer decisions. For example, Gordon (1994) compared the moral 
stages of development in a sample of virus writers classified as adolescent, 
young adult, professional adult, or ex-virus writers. Results suggested the 
adolescent and young adult virus writers were within normal ranges for 
moral development when compared to their nonvirus writer age mates. 
The adult virus writers, however, were in lower stages of moral devel- 
opment compared to their nonvirus writer age mates (Gordon, 1994). 
Rogers (2010) believed script kiddies, the least technical hacker, were only 
at Stage 2 of moral development due to their immaturity and attention- 
seeking behavior. As for cyber-punks and identity thieves, their disregard 
for authority and selfish tendencies also place them into a similar stage of 
moral development as script kiddies. The heterogeneity of virus writers 
makes it difficult to assign a specific stage of moral development, as virus 
writers can range anywhere from Stage 2 to Stage 5 of moral develop- 
ment. Finally, Rogers (2010) suggests the professionals (i.e., an elite group 
of hackers) rank in one of the higher categories of moral development, 
Stage 5, because of their flexibility of moral character, since professionals 
may be either white-, gray-, or black-hat hackers, depending on which 
hacker code they follow. 


Theory of Planned Behavior (Ajzen, 1985, 1991) 


The theory of planned behavior (Ajzen, 1985) argues that whether a person 
intends to engage in certain behaviors is determined by: attitude toward 
the behavior, subjective norm, and perceived behavioral control. First, 
this theory suggests that beliefs create attitudes. Behavioral beliefs, which 
are the expected outcomes for engaging in a particular behavior, influ- 
ence our attitude toward the behavior. For example, we are more likely 
to have a positive attitude toward eating apples if we have positive beliefs 
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about apples, such as “an apple a day keeps the doctor away.” In pre- 
dicting someone’s behavior, we also need to examine their concern over 
“what others might think,” referred to as subjective norms, as well as how 
other people will react to that particular behavior, or normative beliefs. 
Returning to the example of the apple, we might be more motivated to 
eat an apple rather than French fries if we want to be perceived as healthy 
by our peers. Finally, our opinions of perceived control, whether we are 
capable of engaging in the particular behavior, also affect whether we are 
likely to engage in certain behaviors. Perceived control is influenced by 
our control beliefs, which are beliefs about the presence of factors that may 
help or hurt our ability to engage in a particular behavior. If your favorite 
fast-food chain was closing, you might need to decide between being per- 
ceived as healthy by your friends or eating your favorite unhealthy food 
at the restaurant that is closing. Overall, all of these beliefs — behavioral, 
normative, and control — guide the creation of behavioral intentions, and 
these beliefs will be weighted differently based on their importance to a 
particular behavior. 

Only a few studies have applied the theory of planned behavior (Ajzen, 
1985, 1991) to unethical computer behaviors. Chang (1998) found that 
perceived behavioral control was the most significant predictor of peo- 
ple’s intentions to pirate software. Regardless of a person’s intentions, the 
appropriate resources or opportunities must be present in order for that 
person to engage in the unethical computer behavior. Rennie and Shore 
(2007) suggested six controls to curb a person’s intentions to engage in 
computer hacking: (1) computer security legislation; (2) reducing vul- 
nerability of computer systems; (3) parental controls; (4) reducing peer 
pressure; (5) cyber policing; and (6) reducing access to hacking tools. 
These controls relate directly to Ajzen’s (1985) perceived control, subjec- 
tive norms, and attitude toward the behavior. For example, encouraging 
parents to talk to their children about computer ethics, as well as reduc- 
ing the impact of peer pressure, may deter an individual from computer 
hacking due to changes in subjective norms. In addition, strengthening 
computer and information security, as well as making it difficult to obtain 
computer hacking tools, will increase the perceived controls over one’s 
ability to engage in computer hacking. Finally, through computer secu- 


rity legislation and cyber policing, an individual will more likely view 
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computer hacking in a negative light due to the possible negative out- 


comes (1.e., prosecution). 


Theory of Reciprocal Determinism (Bandura, 1977) 


When we try to understand “why” people behave in a certain way, we 
tend to argue for either nature or nurture explanations. Bandura’s (1977) 
theory of reciprocal determinism combined the classic “nature versus 
nurture” attitude into a social cognitive theory that acknowledges both 
the external and internal factors related to human behavior. The theory 
of reciprocal determinism states psychological, biological, and cognitive 
(personal internal factors = P) and environmental (external factors = E) 
factors all interact and exert bidirectional influences on human nature 
(behavior = B). These factors intermingle and affect one another in multi- 
ple directions; however, reciprocity does not imply equality in the amount 
of influence that one factor has over another (Bandura, 1977, 1978, 1994). 
Overall, determinism reflects an interaction between multiple variables 
in multiple directions rather than an independent relationship resulting 
in unidirectional cause and effect. In addition, the variables in the tripar- 
tite model differ in regards to their strength or magnitude of influence 
on human nature. According to Bandura (1986), “when situational con- 
straints are weak, personal factors serve as the predominant influence in 
the regulatory system” (p. 35). If environmental constraints are “weak,” 
there are ineffective barriers keeping an individual from engaging in a 
particular behavior. 

For example, the globalization of technology has created an environ- 
ment where Internet child pornography is readily available, accessible, and 
affordable (Triple-A Engine, see Cooper, 1998). Essentially, viewing child 
pornography is both easy to commit and not get caught. There are other 
external factors, unique in some aspects to cyberspace, which may influ- 
ence whether an individual engages in computer deviance. According to 
Campbell and Kennedy (2009), “characteristics inherent to the electronic 
environment may contribute to antinormative behaviors” (p. 18), specif- 
ically anonymity (Lipson, 2002), reduced social cues (Kiesler & Sproull, 
1992), and deindividuation (Zimbardo, 1969). As stated by Morahan- 
Martin and Schumacher (2000), “Social contact over the Internet does not 
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involve face-to-face communication and can even be anonymous, which 
can lessen social risk and lower inhibitions” (p. 25). Internet users are able 
to try out new roles, identities, and self-presentations, which is facilitated 
by the perceived anonymity or “cloak of safety” provided by the Internet. 
For example, anonymizers, steganography, and encryption are considered 
hacker “tools of the trade,” which provide some level of anonymity and 
secrecy online (Holt, 2010). 

Overall, Bandura’s theory of reciprocal determinism incorporates both 
the environmental and personal factors associated with human behavior. 
Preliminary research suggests this theory may explain why some people 
are more likely to engage in cybercrime, specifically Internet child por- 
nography, when others do not. Future research is needed to determine if 
this theory is applicable to other forms of cybercrime. 

What similarities do you see between these three psychological theo- 
ries and the criminological theories covered in this chapter? 


Summary 


Criminological theory has much to offer to our understanding of both cybercrime 
offending and victimization. Although the criminological theories discussed in 
this chapter have important insights on why certain individuals are more likely 
to offend or be victimized, empirical studies have provided more support for 
certain theories overall. For example, Ron Akers’ (1998) social learning theory 
is currently the best theoretical framework that we have to understand both tra- 
ditional and cybercrime offending. Cohen and Felson’s (1979) routine activity 
theory is the most utilized and supported theory to explain traditional and cyber 
victimization. Other theories have shown moderate support and need more 
scrutiny to determine their validity for cybercrime. 

Most assessments involve some form of digital piracy offending and harass- 
ment victimization. An increased amount of work is occurring explaining the 
correlates and causes of computer hacking and identity theft, but scant research 
has been conducted on more complex forms of cybercrime such as malicious 
software distribution and cyberterrorism. In addition, it is possible that cyber- 
crime with all of its unique characteristics will prompt new theories to be cre- 
ated. The creation of new theories to explain crime in the virtual world might 
not only help provide a better understanding of cybercrime but may possibly 


lead to new insights about crime in the physical world as well. 
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Key Terms 


Absence of a capable guardian 
Appeal to higher loyalties 
Argot 

Celerity 

Certainty 

Condemnation of the condemners 
Definitions 

Denial of a victim 

Denial of an injury 

Denial of responsibility 
Deterrence theory 
Differential association 
Differential reinforcement 
Digital drift 

Drift 

General strain theory 
General theory of crime 
Imitation 

Motivated offender 

Routine activity theory 
Self-control 

Severity 

Social learning theory 

Space transition theory 
Subculture 

Suitable target 

Techniques of neutralization 
Vulnerability 


Discussion Questions 


1. Do you agree that cybercrime is “old wine in a new bottle?” 
2. Which theory made the most sense to you in explaining crimes in a vir- 
tual world? Why? 
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. Think of a recent news event involving cybercrime. Which the- 
ory helps you better understand why that individual committed that 


crime? 


aN 


. Does the idea of a low-self-control hacker make sense to you? Why or 


why not? 


on 


. What risky activities do you partake in when you are online? How do 
those actions relate to routine activity theory? 
6. Do we need cybercrime-specific theories or are traditional criminological 


theories adequate? 
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Chapter Goals 


e Differentiate between computer forensics and digital forensics 

e Explain the ad hoc, structured, and enterprise phases of digital forensics 

e Identify potential sources of digital evidence 

e Understand the differences between closed-source and open-source 
software 

e Describe the four stages in a digital forensic investigation 

e Examine the role of digital evidence in criminal and civil court cases 

e Understand the importance of evidence integrity to digital forensic 


investigations and the court of law 


Introduction 


In March 2010, 18-year-old Kimberly Proctor was brutally raped and murdered 
in the small town of Langford in British Columbia, Canada, by two teenage 
boys, Kruse Hendrik Wellwood, 16, and Cameron Alexander Moffat, 17 (CBC 
News, 2010). Kimberly was lured to Wellwood’s home where she was beaten, 
tortured, and sexually assaulted for several hours, her legs and arms were bound 
with duct tape, and her head was covered with a plastic bag. Kimberly was 
stuffed into a freezer then left overnight, and according to court documents, 
she died of asphyxiation. The medical examiner, however, was unable to deter- 
mine if she was deceased prior to or after being placed in the freezer. In the 
morning, her body was driven to a secluded area under a bridge where the 
teenage boys set her on fire. This crime was solved thanks to a digital trail of 
evidence left behind by the two teenage boys. According to Roberts (2011), 
“police investigating this case ... gathered the digital equivalent of 1.4 billion 
pages of paper evidence, including Facebook and MSN messages, text messages 
and chat histories” (para. 7). For example, while chatting on World of Warcraft, 
Wellwood confessed to the murder of Kimberly Proctor to his online gamer 
girlfriend (Zetter, 2011). In 2011, both teenage boys pleaded guilty to first- 
degree murder and indignity to human remains and were sentenced as adults 
to life imprisonment with no possibility of parole for ten years. The murder of 
Kimberly Proctor was solved through the use of digital forensics. 

Before we discuss the evolution of digital forensics, it is important to under- 
stand what we mean by the term forensic science. Forensic science is the 
application of science to the law, meaning the scientific process of gathering and 
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examining information to be used by the criminal justice system (see Saferstein, 
2010). When compared to the other fields of forensic science, digital forensics 
is in its infancy. 

Consider the field of forensic entomology. Forensic entomology is the study 
of insects in death investigations, and its first recorded use was in a homicide 
investigation in 13th-century China (McKnight, 1981). The case involved a 
homicide where the weapon was determined to be a sickle. All of the men in 
the village laid their sickles down on the ground, and although they all appeared 
to be “clean” to the naked eye, the murderer’s sickle became covered with flies 
due to the small traces of blood and tissue that remained on the sickle — the 
murderer then confessed to the crime (McKnight, 1981). 

What does forensic entomology have to do with the history of digital foren- 
sics? Think about all of the changes that have occurred over the years in the 
different branches of forensic science — the advancements with technology in 
DNA analysis or the ability to obtain latent fingerprints. It only makes sense that 
digital forensics is a new branch of forensic science — it could not exist without 
the advent of computer technology. A central theme throughout this chapter 
is the fact that technology has been the driving force behind the field of com- 
puter forensics. The field of computer forensics evolved into the field of digital 
forensics as technology continued to influence law enforcement investigations. 

Digital forensics may be the youngest of the forensic sciences, but that does 
not mean it is the least important. By the end of this chapter, you will appre- 
ciate how almost every criminal investigation now involves some form of dig- 
ital evidence. In addition, you will understand the difficulty law enforcement 
faces when trying to identify and recover evidence from the ever-changing and 
developing digital world. Finally, we will explore the importance of evidence 
integrity and forensic soundness since digital evidence is only admissible if its 


authenticity can be verified in a court of law. 


From Computer Forensics to Digital Forensics 


The need for computer forensics developed with the onset of the Information 
Age or Digital Age; this digital revolution was marked by the increased produc- 
tion, transmission, and consumption of, and reliance on, information. Modern 
computers began to emerge in the mid-20th century and were mostly owned 
and operated by large corporations, such as universities and government agencies. 


At this time, traditional computer crime investigations were theft of computers 


or computer components. However, the Information Age changed the meaning 
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of the word computer crime. As personal computers surfaced in the mid-1970s, 
old crimes with new tricks emerged as well, and computer crimes were no longer 
limited to only theft of components. Computers were now being used to commit 
old crimes using new tricks, specifically referring to financial crimes (fraud, embez- 
zlement), the majority of which were committed by insiders (Clifford, 2006). 
For example, individuals employed at financial institutions embezzled money by 
writing computer programs that would transfer a tenth ofa cent into their account 
(Fernandez et al., 2005). This type of fraud is referred to as salami slicing because 
only small amounts of money are taken from each account, but the dividends add 
up to a tremendous sum (Kabay, 2002). With computers being used as the means 
for criminal activity, such as computer fraud or embezzlement, there was a grow- 


ing concern of how best to combat these “old crimes with new tricks.” 


Events of the 1970s 


By the late 1970s, there was an increasing recognition that computer criminal- 
ity was growing on a national and international scale. In 1976, the Council of 
Europe Conference on Criminological Aspects of Economic Crime was held 
in Strasbourg, France. This conference identified several categories of computer 
crime, including fraud (Schjolberg & Tingrett, 2004). In the United States, the 
first federal cybercrime legislation was introduced, the Federal Computer Systems 
Protection Act of 1977, by Senator Ribikoff. This Act would make “the use, for 
fraudulent or other illegal purposes, of any computer owned or operated by the 
United States, certain financial institutions, and entitles affecting interstate com- 
merce” a federal crime. Although this act was not passed, Senator Ribikoff is cred- 
ited for raising awareness of the need for cybercrime legislation (Clifford, 2006). 
Shortly thereafter, Florida became the first state to enact a cybercrime law, 
the Florida Computer Crimes Act of 1978. This legislation was in response 
to a scandal at the Flagler Dog Track in Miami, Florida, where employees used a 
computer to print fraudulent tickets (see Box 14.1; Hochman, 1986). The Flor- 
ida Computer Crimes Act (1978) cited offenses against intellectual property, 
offenses against computer equipment or supplies, and offenses against computer 
users. In other words, it was a felony to access another’s computer or modify, 
delete, or copy files without authorization, and it became a misdemeanor to 
modify or damage computer equipment without authorization. In the United 
States, a felony is considered to be a more serious criminal act that is usually pun- 
ishable by one year or more in prison, whereas a misdemeanor is considered a less 
serious offense that is usually punishable up to one year in jail (see Kamisar et al., 
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Box 14.1. The Flaggler Dog Track Incident 
Win, Place ... and Sting 


https://vault.si.com/vault/1979/07/23/win-placeand-sting 


[Jacques Lavigne] knew he was going to make a potful of money ... 
He could do it quickly enough to avoid suspicion. And ... right under 
the noses of the men the state paid to stand watch — because they knew 


zilch about computers. 


This article describes one of the first instances of computer crime, which 
became a seminal case in the development of legislation for the United 
States. Readers will gain an understanding for how technology was viewed 
at the time, and how it has dramatically changed over the last few decades. 


2008). It was not until 1986 that the United States passed its first federal law 
criminalizing the unauthorized access of a computer, the Computer Fraud 
and Abuse Act (see Chapters 3 and 4 for more detail on the revised statutes). 
In 1979, Interpol, the world’s largest police agency, was the first interna- 
tional organization to address the growing concern of computer fraud: “The 
nature of computer crime is international, because of the steadily increasing 
communications, ... between the different countries. International organiza- 
tions, like Interpol, should give this aspect more attention” (Interpol, 1979; 
Schjolberg & Tingrett, 2004). It was not until 1983 that an ad hoc committee 
sponsored by the OECD assessed the need for an international response to 
cybercrime. The OECD is an intergovernmental organization comprised of 
29 countries, including the United States, which promotes policy-making 
among member and nonmember states and the United Nations (Clifford, 2006). 
The final report recommended a “harmonization of criminal laws” that penal- 
ized computer fraud, computer forgery, damage to computer data, copyright 
infringement, and unauthorized computer access (Schjolberg, 2008). 


Early 1980s: Pre-Forensics/Ad Hoc Phase 


By the 1980s, more and more computer crimes were being committed during 
the Information Age, and law enforcement officers found themselves collect- 
ing digital evidence, specifically computers and floppy disks from financial and 
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Fig. 14.1 
Floppy disks 


Source: The 
8-inch floppy 
disk was created 
by IBM’s Alan 
Shugart in 1971. 


http://commons. 


wikimedia. 
org/wiki/ 
File:8%60%60_ 
floppy_disk.jpg 
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computer fraud investigations. However, law enforcement needed a way to 
convert computer evidence into “physical” evidence. For example, holding an 
8-inch floppy disk (see Figure 14.1) in front of the jury does not give them a 
sense of its evidentiary value — the jury must be able to see the contents of the 
floppy disk. 

The ability to convert computer evidence into “physical” evidence fueled 
the need for computer forensics, which is the examination of powered-down 
computer components, also known as dead-box forensics. Computer foren- 
sics, a branch of the forensic sciences, refers to the investigation and analysis of 
media originating from digital sources in an effort to uncover evidence to pres- 
ent in a court of law (Britz, 2009). However, only government agencies, such 
as the Internal Review Service (IRS), were developing computer forensic tools 
at this time, and these tools were not made available to other law enforcement 
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agencies or industry. This all changed when Norton Utilities released to the 
public the UnErase tool, which was capable of recovering lost or deleted files 
(Fernandez et al., 2005; Nelson et al., 2004). Norton did not intend to create a 
forensic tool, but this product’s ability to recover latent, or hidden, evidence 


made an important contribution to the computer forensics field. 


For more information on the history, utility, and processes of ree 0 
UnErase, go online to: https://www.pcjs.org/blog/2018/12/28/ tay a 


Although there was some progress being made with computer evidence, 
Charters (2009) states that the early 1980s should be considered pre-forensics 
because there was a lack of formal structure, protocols, training, and adequate 
tools. This pre-forensics stage is also known as the Ad Hoc phase and is con- 
sidered to be the first stage of evolution for computer forensics. The term Ad 
Hoc refers to something that has been created because of an immediate need, 
and because of this immediate need, the approach is usually unmethodical or 
unprincipled (i.e., not theory-driven). According to Charters (2009), it was 
during the Ad Hoc phase that corporations began to collect evidence that their 
computer systems were being “inappropriately” used by employees. According 
to Shaw et al. (1998), “staff employees pose perhaps the greatest risk in terms 
of access and potential damage to critical information systems” because they 
are viewed as trusted members of the organization (p. 3). However, during the 
Ad Hoc phase, upper management lacked specific company policies defining 
“appropriate vs. inappropriate computer usage” as well as procedures for due 
process. Therefore, when these inappropriate use cases did make it to trial, the 
courts raised questions about the chain-of-custody procedures and accuracy of 
the computer forensic tools. 

In addition, during the Ad Hoc phase, law enforcement officers were analyz- 
ing the original evidence — rather than a duplicate or backup copy — so any mod- 
ifications or errors during the computer forensic examination directly affected 
the accuracy of the evidence. Accuracy refers to the integrity of the data, such 
as whether or not the evidence remains unchanged or has been altered by the 
computer forensics tool. In addition, the courts were concerned with chain of 
custody, which refers to the chronological documentation of evidence as it is 


processed during the investigation (i.e., seizure, custody, transfer, and analysis; 


Britz, 2009). This was one of the most unfortunate things about the Ad Hoc 
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phase — the fact that cases were lost due to the lack of policies and standardized 
tools in this new field of forensic science (Charters, 2009). 

For example, an employee was fired for violating the company’s appropriate 
use policy when he was caught searching through private personnel files. The 
employee claimed that he accidentally came across the personnel files, and that 
just so happened to be the moment his boss walked into the office. After being 
fired, the employee sued the company for wrongful termination, claiming that 
law enforcement officers did not follow procedures for collecting and analyzing 
the computer evidence. For instance, who was in possession of the evidence 
during transfer and how was the computer evidence stored? Of course, in the 
1980s, there were no guidelines or protocols for computer evidence collec- 
tion. In addition, the attorney argued that there was no proof of the computer 
forensic tool’s accuracy and it was possible that this tool had tampered with the 
computer evidence. Due to the lack of structure in the Ad Hoc phase, cases like 


this proved difficult to prosecute. 


Mid-1980s: Structured Phase 


In response to the problems associated with the Ad Hoc phase, computer forensics 
progressed into the Structured phase during the mid-1980s. The Structured 
phase is specifically characterized by the harmonization between computer foren- 
sic procedure/policy and computer crime legislation. First, several federal statues 
criminalized various forms of hacking (see Chapter 2) and wire fraud (1.e., fraud 
committed through the use of electronic communication) (see Chapter 6) (Clif- 
ford, 2006). In addition, companies drafted appropriate use policies for their 
employees as well as due process procedures for investigating violations of these 
new policies. Finally, the courts pushed the field of computer forensics to develop 
tools that could withstand courtroom challenges, along with standards for evi- 
dence collection (Charters, 2009). During the beginning of the structured phase, 
most of the computer forensic examinations were confined to a single computer 
component and suspect. Few law enforcement officers were “trained” in com- 
puter forensics (i.e., they were self-declared experts), and the forensic tools were 
expensive, so the collection and examination of computer evidence was either 
inaccessible or unaffordable for most law enforcement agencies. 

During this time, more and more people began owning a personal com- 
puter, cell phone, or other digital device. Therefore, more and more crimes 
were being committed that involved some form of digital evidence. The way 
people used technology was continuously changing as well. For example, cell 


Evolution of Digital Forensics 


phones had limited functionality during the early 1990s (e.g., they could not 
send text messages or connect to the Web) until the development of the Black- 
berry and related devices in the late 1990s. Therefore, technological change 
forced changes in how law enforcement viewed computer evidence. 

In response to technological change, a number of professional organizations 
emerged, such as the Scientific Working Group on Digital Evidence (SWGDE; 
Whitcomb, 2002). At the inaugural meeting of SWGDE in 1998, Federal 
Bureau of Investigation and Postal Inspection Service officers created the first 
definition of digital evidence: “any information of probative value that is stored 
or transmitted in a binary form” (Whitcomb, 2007, p. 7). It may seem counter- 
intuitive for the PIS to have such an influential role in digital forensics; how- 
ever, this agency investigates more than just mail fraud. Shortly thereafter, the 
first forensic science section on digital evidence was held at the International 
Association for Forensic Science conference in 1999 (IAFS; Whitcomb, 2007). 
In addition, the first peer-reviewed journal dedicated to digital evidence, the 
International Journal of Digital Evidence, debuted in 2002. As evidenced, the field 
of computer forensics became more structured and organized as industry, prac- 
titioners, and academia pursued the science behind digital investigations. 

Toward the end of the Structured phase, computer forensics evolved into 
what we now understand to be the field of digital forensics. Computer forensics 
was no longer a term that accurately represented the various forms of digital 
evidence. After all, computer forensic examinations extend beyond the tradi- 
tional forms of computer hardware to include other forms of digital evidence, 
defined as information that is either transferred or stored via a computer (Casey, 
2011). Digital evidence may be found on mobile phones, GPS devices, cameras, 
and networks, to name a few. 

Recognizing this growth in digital evidence, an umbrella term was created, 
digital forensics. Digital forensics refers to the analysis of digital evidence, 
which includes network forensics (Internet traffic), computer forensics, 
mobile-device forensics (e.g., cell phone), and malware forensics (e.g., viruses; 
see Chapter 4; Casey, 2011). Overall, digital forensics included a whole array 
of digital devices, and in most cases, the development of new technology (e.g., 
Xbox, PlayStation 2) required new forensic tools. For example, many gaming 
consoles, such as Xbox and PlayStation 2, have similar properties to other dig- 
ital devices in that users can surf the web or use the gaming consoles as storage 
devices for media. 


What these technological advances meant for law enforcement was the fact 


that the same criminal activities afforded to more “traditional” digital devices 
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(e.g., mobile phones) were now being committed on less-traditional digital devices 
(e.g., Xbox). This assortment of digital technology meant law enforcement needed 
more forensic tools to conduct their investigations. Thus, this surge in forensic 
tools moves us into the final phase of digital forensics — the Enterprise phase. 


Early 2000s: The Golden Age 


According to Charters (2009), the Enterprise phase of digital forensics — also 
known as the Golden Age (Garfinkel, 2010) — began in the early 2000s. The 
courts were becoming more and more familiar with the process of collect- 
ing and examining digital forensic evidence, and the forensic industry began 
to develop tools that alowed for the examination of computer evidence. In 
response to demands by law enforcement, commercial tools were created that 
allowed for the examination of evidence on-site, that is to say, at the scene 
rather than back in the laboratory. 

During this time, open-source digital forensic tools debuted, which are 
software programs that can be freely used, modified, and shared with anyone 
(see Altheide & Carvey, 2011). There is a lot of controversy surrounding open- 
source digital forensic tools because, as part of the distribution terms, the source 
code must be made available, without discrimination, to the general public 
(Open Source Initiative, n.d.). In other words, computer criminals and law 
enforcement (and anyone else) will have access to the source code for open- 


source digital forensic tools. 


For a list of open-source digital forensic tools, go online to: 
https://forensicswiki.xyz/wiki/index.php?title=Tools 


The source code is simply the human-readable instructions written by the pro- 
grammer for how the software works (e.g., Java); this code is then translated 
into object code so the computer can execute the instructions (Zanero & Hue- 
bner, 2010). For closed-source or proprietary software, usually the source 
code is not made available to the general public; only the object code, which 
restricts the ability of users to modify and share the software due to copyright 
infringement, is publicly shared (Zanero & Huebner, 2010). The benefits of 
open-source digital forensic tools are the ability to identify and fix bugs within 


the software, and the opportunity to learn more about how the tool works 
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(Altheide & Carvey, 2011; Zanero & Huebner, 2010). There is an inherent 
transparency with open-source software compared to the black box of pro- 
prietary software, which some argue makes it easier for open-source tools to 
be admissible in court (Carrier, 2002). Both open-source and closed-source 
tools will continue to play an important role in digital forensics, especially since 
crimes increasingly involve at least one digital element (Clifford, 2006; Maras, 
2012; Sachowski, 2018). 

Think about your own technological devices. You may own a laptop or tab- 
let, and possibly a smartphone, but what about your MP3 player, gaming system, 
or Wi-Fi-enabled television? It is possible that all of these devices would need 
to be collected and examined for potential evidence during a digital forensic 
investigation, and with the globalization of technology and the Internet, there 
will continue to be an increase in the abundance of digital data that needs to 
be analyzed for potential evidence. In addition, not only are there more devices, 
the sizes of the storage systems have increased as well. Thus, the sheer amount 
of data that needs to be examined is daunting for law enforcement as well as the 
cost associated with training, certification, and the forensic equipment. 

Digital forensics, as a discipline, struggles with training, certification, accred- 
itation, and other educational issues (Losavio et al., 2016; see Chapter 16). 
Digital forensic practitioners display their qualifications by either obtaining cer- 
tification or accreditation for themselves, their laboratory or unit, or by relying 
on testing and court procedures for displaying their credibility. Typically, the 
decision between how credibility is obtained depends on what is practical and 
affordable for the digital forensic practitioner (Sommer, 2018). There is still 
no agreed upon criteria for what the basic qualifications of a digital forensic 
practitioner should be. While some states have a standardization for forensic 


credentialing, there is still no consistency at the federal level (Zahadat, 2019). 


End of the Golden Era and the Challenges 
of New Technologies 


For these reasons, Garfinkel (2010) argues the Golden Age of digital forensics is 
coming to an end. The future of digital forensics will rely on advancements in 
scientific research and standards for education and certification. In addition, the 
future will be shaped by digital evidence derived from nontraditional devices 
and technology, such as drones, Internet of Things (IoT) devices, and vehi- 


cle systems. In addition, the future of digital forensics will be shaped by the 


ever-changing platforms of social media. 
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Fig. 14.2 An 
unmanned 
aircraft system 
(UAS) also 
known as a 
drone. The 
future of 
digital forensics 
will involve 
extracting 
digital 
evidence from 
nontraditional 
digital devices, 
such as drones 


Source: Image 


courtesy of www. 


Shutterstock.com 
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According to the Federal Aviation Administration (FAA), an unmanned 
aircraft system (UAS), often referred to as a drone, is an aircraft controlled from 
an operator on the ground instead of the pilot being onboard (see www.faa.gov; 
see Figure 14.2). In December 2016, there were at least 616,000 registered drones 
in the United States (Federal Aviation Administration, 2016). However, as of Jan- 
uary 2021, this number has increased to over 1.78 million registered drones in the 
United States (Federal Aviation Administration, 2021). As mentioned previously, 
digital forensics is an umbrella term that houses different branches of forensics. 
Drone forensics constitutes a subtype of wireless forensics under the broader 
term, network forensics (Singh, 2015). According to Singh (2015), drone foren- 
sics “involves the forensics of the server present at ground level where informa- 
tion is being transferred and stored and the forensics of the drone device” (para 8). 

Due to their surveillance capabilities (e.g., aerial views, terrain mobility, 
audio/video recordings, photography), law enforcement are using drones to 
assist in their investigations because they may be considered “flying witnesses” 
(Shaw & Hilton, 2016). For example, footage taken by a drone’s high-definition 
camera was admitted as forensic evidence in court for a rape case involving two 


students (Pilkington, 2014). A specific criminal case example of drone forensics 
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does not exist as of yet, but the courts are discussing the authenticity of evi- 
dence from drones, such as audio and video recordings (Shaw & Hilton, 2016). 
According to Shaw and Hilton (2016), “a picture is a picture, a video a video” 
(p. 26), so the courts should regard drone-evidence as “no more or less reliable 
than evidence gathered by any other method” (p. 27). 

Just as with drones, digital forensic evidence may exist on nontraditional devices 
known as the IoT. The Internet of Things (IoT) is defined as a “network of 
physical objects (or ‘things’) that connect to the internet and each other and have the 
ability to collect and exchange data” (Peyton, 2016, p. 1). These objects are able to 
interact with each other and the Internet through embedded technology (Oriwoh & 
Williams, 2015). In 2009, the number of things connected to the Internet surpassed 
the number of people worldwide. It is estimated that by 2025, there will be up to 
21.5 billion connected devices worldwide (Statistica Research Department, 2021). 

Like drone forensics, Internet of Things (loT) forensics is a type of wire- 
less forensics. loT devices encompass a wide-range of sectors, including weara- 
ble, smart homes, manufacturing, supply chain, healthcare, energy, agriculture, 
and vehicles (Eclature, 2020). loT devices include light bulbs, thermostats, door 
locks, fridges, cars, smart speakers, and even pacemakers, just to name a few. 
According to Robots (n.d.), the most popular IoT devices in 2020 focused on 
home automation (e.g., Smart Lock, Smart Pet Feeder) and greener environ- 
ment (e.g., Air Pollution Monitor, Thermostat). 

The first criminal case involving a smart loT device was the murder of Vic- 
tor Collins (McLaughlin & Allen, 2016). On November 22, 2015, James Bates 
called 911 stating that he found Victor Collins dead in his hot tub. Bates told 
law enforcement that he had two friends over that night, including Victor Col- 
lins, to watch football and drink. Eventually, they all decided to hang-out in the 
hot tub until around 1:00 a.m. when James Bates went to bed. According to 
the Arkansas State Crime Lab, Victor Collins’ death was ruled as a homicide by 
strangulation (Sitek & Thomas, 2016). A witness recalled hearing music stream- 
ing that night from Collins’ Amazon Echo, a smart speaker that responds to the 
name “Alexa” (McLaughlin & Allen, 2016). In addition, Collins owned a smart 
water meter, which measures the amount of water used hourly (Gilker, 2016). 

Both the Amazon Echo and smart water meter were collected by law 
enforcement. Law enforcement analyzed the smart water meter and learned that 
an abnormal amount of water was used during a 2-hour window the evening of 
the murder. Law enforcement believes this data indicates that James Bates 
cleaned up the murder scene during this 2-hour period (Gilker, 2016). Law 
enforcement were unable to obtain data from the Amazon Echo, Alexa, so the 
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Prosecutor’s office asked the court to force Amazon to provide data from the 
Echo for the night in question (see Box 14.2; Swearingen, 2016). Alexa works 
by passively recording everything you say, although none of the recordings are 
sent to Amazon unless you use the keyword, Alexa. Only then does Alexa 
record your command/question, which is then sent to Amazon’s cloud servers 
(Swearingen, 2016). It is possible that the company may either be compelled to 
provide the data, or may find a reason to voluntarily provide it to law enforce- 
ment (see also the FBI-Apple Encryption Dispute discussed in Chapter 14). 
Until such time, this presents a challenge to law enforcement agencies as to how 


to use all possible data points to support a prosecution. 


To read the actual Affidavit for the State of Arkansas v. Bates case, 
please visit: http://stopsmartmeters.org/wp-content/uploads/2016/08/ 
SKMBT_42316081516000.pdf 


Finally, as already mentioned, more and more people around the world are 
using digital devices, so more and more crimes involve some form of digital 
evidence — usually from multiple devices. However, it is not just about owning 
a personal device anymore — it is also about your presence on the Internet — 
specifically on social media. 


Box 14.2 Digital Evidence in Amazon Echo 


Alexa a Witness to Murder? Prosecutor’s Seek Amazon 
Echo Data 


https://www.bloomberg.com/news/articles/2016-12-28/alexa-a- 


witness-to-murder-prosecutors-seek-amazon-echo-data 


Authorities investigating the death of an Arkansas man whose body was 
found in a hot tub want to expand the probe to include a new kind 
of evidence: any comments overheard by the suspect’s Amazon Echo 


smart speaker. 


This article discusses the murder investigation of Victor Collins and 
whether the suspect’s Amazon Echo may reveal relevant evidence on the 


night in question. 
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According to Kaplan and Haenlein (2010), social media is a “group of 
Internet-based applications that build on the ideological and technological foun- 
dations of Web 2.0 (e.g., increased broadband availability and hardware capac- 
ity), and that allow the creation and exchange of User Generated Content” 
(p. 61). User generated content is any form of “voluntarily contributed data, 
information, or media that then appears before others in a useful or entertaining 
way” (Krumm et al., 2008, p. 10). User generated data includes a variety of social 
media posts, such as restaurant reviews, images, videos, and blogs. In order for 
data to be considered user generated content, it must be: (1) published either on 
a publicly accessible website or available to a select group of people on a social 
networking site; (2) exhibit a certain level of creative effort; and (3) it needs to be 
created outside of professional routines and practices (Organization for Economic 
Cooperation and Development [OECD], 2007). Based on these definitions, 
social media not only includes social networking sites (e.g., Facebook, LinkedIn), 
but blogs, virtual social worlds (e.g., Second Life), collaborative projects (e.g., 
Wikipedia), content communities (e.g., YouTube), and virtual game worlds 
(e.g., World of Warcraft, RuneScape; Kaplan & Haenlein, 2010). Overall, social 
media sites create an environment that allows users to communicate and share 
information with others who are either connected directly (member of site) or 
indirectly (e.g., friends of friends) within the network (Brunty & Helenek, 2013). 

Mobile devices, like smartphones and tablets, allow their users to download 
applications, known as “apps,” that perform certain tasks, such as communi- 
cating, gaming, or sharing content (see Figure 14.3). In 2020, there were more 
than 1.96 million apps available for download on the Apple App Store and 
2.87 million on Google Play Store (Clement, 2020). According to Apptop- 
ica, the most downloaded social media app in 2020 was TikTok, with over 
82 million, followed by Instagram and Snapchat (Bellan, 2020). There is a vast 
amount of user generated content and data as a result of our online interactions. 
As a result, privacy and security concerns have emerged, leading to the devel- 
opment of apps that use end-to-end encryption (e.g., WhatsApp), anonymity 
(e.g., Confide), or even decoy applications (e.g., Calculator+). 

These decoy applications are known as vault apps, which secure and “hide” 
your private data by either disguising themselves by pretending to look like 
other applications (e.g., Calculator+) or by only displaying information when 
the user enters a valid password (e.g., Private Photo Vault; Newton, 2018). As 
shown in Figure 14.4, these vault applications that store photos, for example, 


might appear as a “calculator” app on a person’s mobile phone. It is possible 


for malicious actors to use these vault applications to hide content that may 
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Screenshot 
of the variety 
of apps on a 
Pixel 5 phone; 
example 
social media 
apps include 
YouTube, 
YouTube 
Music, 
Instagram, 
Snapchat, 
Twitter, 
Tiktok, 
MyFitnessPal, 
Zero, Fitbit, 
Bublup, 
ProtonMail, 
Blogger, and 
Discord 
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be illegal or show illegal activity. For example, a criminal may store sexually 
explicit images of children, or pictures relating to an illegal sale of drugs, on 
these vault applications (see 4.3). Therefore, vault applications need to be 
viewed from not only a user security perspective but also from an investigative 
anti-forensics’ standpoint (Zhang et al., 2017). 


Fig. 14.4 
Screenshot of 
the variety of 
vault apps on 
an iPhone; 
examples of 
photo vault 
applications 
include 
KeepSafe, 
Photo Vault, 
Calculator+, 
SecretSafe, and 
Purple Photo 
Vault 
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Box 14.3. Criminals and Vault Apps 


Baraboo Man Charged with Having Child Porn Hidden in Cell 
Phone Calculator App 


https://madison.com/news/local/crime-and-courts/baraboo-man- 
charged-with-having-child-porn-hidden-in-cell-phone-calculator-app/ 
article_6e34dcaa-c687-5f66-895c-7fea92d6d0tb.html 


The agent discovered hidden files on the phone, hidden through a 
calculator vault app. The smartphone application acts as a typical cal- 
culator until numbers are entered as a password, revealing images held 
within it. In this case, the password was Moliner-Wetzel’s birth date. 


This article provides an excellent example of the vault app being used by a 
criminal to hide child sex abuse imagery. In this case, the vault application 


was disguised as a calculator app. 


Regarding social media, digital evidence may be found on the physical 
device or on the network (Brunty & Helenek, 2013; Seigfried-Spellar & Lesh- 
ney, 2015). However, what further complicates the digital forensic investigation 
is that mobile applications are an ever-changing and evolving piece of evidence 
(Billups, 2020). A consistent theme throughout this book is that technology 
changes faster than what law enforcement or digital forensic tools can keep up 
with. As a new social media application emerges, it may not be supported by 
the current digital forensic tools, making it impossible for forensic artifacts to 
be reliably discovered. As of January 2021, the number of people who own 
smartphones worldwide was 3.8 billion. The future of digital forensics will 
rely on our ability to gather digital evidence from these devices, but this will 
be influenced by whether the digital forensic tools of today can identify the 
forensic artifacts from the mobile applications of tomorrow (see Billups, 2020). 


Stages of Digital Forensic Investigation 


In an attempt to standardize the steps for conducting a digital forensic investi- 
gation, process models were developed which provided practical guidelines 
and general procedures to conducting a digital forensic investigation (Casey, 
2011; Sachowski, 2018). Standardizing the investigation process generates 
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consistency in how digital evidence is handled by law enforcement person- 
nel. However, what is interesting is the fact that there is no standard process 
model used to describe the stages of a digital forensic investigation (see Casey, 
2011). Although the terminology is different, there are four common stages in 
the digital forensic investigation: survey/identification, collection/acquisition, 


examination/analysis, and report/presentation. 


Survey/Identification 


Survey/identification is the initial step ofa digital forensic investigation. Dur- 
ing this stage, law enforcement personnel and digital forensic technicians sur- 
vey the physical (e.g., home office) and digital crime scenes (e.g., Internet) to 
identify potential sources of digital evidence. This step is often the most difficult 
because technology is constantly changing and evolving, and less “obvious” 
digital devices (e.g., PlayStation vs. desktop computer) may be overlooked for 
their potential evidentiary value. For example, the Xbox gaming system can be 
modified to run a different operating system, thereby making it possible to func- 
tion as a traditional personal computer (e.g., store files, surf the web; see Bolt, 
2011; Burke & Craiger, 2007). In 2010, 20-year-old Timothy Hammerstone 
was arrested for soliciting sexually explicit photos of a 10-year-old boy through 
his Xbox (see Box 14.4). 

Along with nontraditional digital devices, some sources of potential evidence 
may be hidden or disguised as nondigital devices, such as the concealed camera 
in the ballpoint pen or lighter. There are also websites that provide helpful hints 
for concealing Universal Serial Bus (USB) flash drives in everyday household 
items (see Figure 14.5). Finally, surveying the digital crime scene may be diffi- 
cult because specific cybercrimes, such as hacking and malware, are often com- 
mitted thousands of miles away from their targeted devices (see Chapters 3-5). 
Once the physical and digital crime scenes are surveyed, and potential sources of 
digital evidence are identified, the digital devices must be searched and seized. 
This stage of the digital forensic investigation is known as the collection or 


acquisition phase. 


Collection/Acquisition 


The collection/acquisition phase of the digital forensic investigation is con- 
cerned with the retrieval and preservation of digital evidence (ISO/IEC, 2012). 


First, digital forensic technicians must document how the digital evidence was 
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Box 14.4 Video Game Systems and 
Digital Evidence 


Folsom Boy, 10, Victimized Through Xbox; Florida Man 
Arrested 


https://goldcountrymedia.com/news/33624/10-year-old-victimized- 
through-xbox/ 


A 10-year-old Folsom boy who was enticed by $20 worth of free Xbox 
Live credits, told his parents recently he had sent nude photographs of 
himself to a man he met online. ... These game systems allow the users 
to speak to one another, send text messages and transfer photographs as 
well as live video feeds. 


This article provides an excellent example of the ways that the Xbox 
gaming system can be abused by cybercriminals. In this case, an individual 
was able to use the gaming system to acquire sexual images of a minor, 
and demonstrates why all technology can play a role in cybercrime in 


some fashion. 


retrieved from the digital source (e.g., mobile phone) — that is to say, how 
the mobile phone was searched and how the digital evidence was seized. For 
example, during computer forensic investigations, technicians must determine 
whether to conduct an on-site or off-site search; in other words, whether to 
seize the digital device and search it on-site or off-site at a forensic labora- 
tory (Maras, 2012). It is important for law enforcement to maintain detailed 
notes and documentation of the search and seizure process of the digital forensic 
investigation. In addition, for any crime scene, whether traditional or digital, 
the evidence must be collected in a manner that is forensically sound and pre- 
serves the evidence’s integrity. Evidence retrieved from a digital device must 
be authenticated in order for it to meet admissibility standards for evidence in a 
court of law (see Chapter 16). The goal of evidence preservation is to make a 
copy of the original data files for examination in a way that minimizes the possi- 
bility of any changes being made to the original data files (International Organ- 
ization for Standardization and the International Electrotechnical Commission; 
ISO/IEC, 2012; Sachowski, 2018). The process of preserving digital evidence 
will be discussed further in the next chapter. 


Tipm 


Hiding flash 
drives. 

There are 
websites that 
provide advice 
on how to 
disguise your 


USB flash drive 


Source: (a) 


553 


Evolution of Digital Forensics 


554 


Examination/Analysis 


Once a copy of the original data is verified, the examination/analysis stage 
refers to data recovery/extraction and analysis of digital data. First, manual 
and automated programs should be used to uncover digital evidence, that is to 
say, recover and restore hidden files, manipulated, and deleted files. Once the 
data has been restored, the digital forensic technician must analyze the digital 
data to determine its relevance to the investigation (e.g., Rule 401 of the US 
Federal Rules of Evidence; see Chapter 16; Sachowski, 2018). By the end of 
the examination/analysis phase, the digital forensic technician has reconstructed 
the digital crime scene. This stage will be discussed further in Chapter 15. 
After this reconstruction, the digital forensic investigation enters its final stage — 
the report/presentation stage. 


Report/Presentation 


The final phase in the digital forensic investigation is the report/presentation 
stage. Here, the findings that are determined relevant to the investigation 
are finalized in a report. How evidence is determined to be relevant to an 
investigation will be discussed further in Chapter 16. In addition, this report 
should reflect complete transparency, meaning each step described in detail so 
as to leave no mystery in the digital forensics process. Specifically, the digital 
forensic technicians should be prepared to testify in court regarding the survey/ 
identification (e.g., chain of custody), collection/acquisition (preservation, 
forensic tools), and examination/analysis (data recovery and reduction) stages of 
the digital forensic investigation. The report/presentation stage will be discussed 
further in Chapter 15. 

In a perfect world, these four stages would be conducted by a trained digital 
forensic technician who is responsible for identifying, preserving, analyzing, and 
reporting the findings of the digital forensic investigation. However, digital foren- 
sic training and certification is expensive, and many law enforcement departments 
do not have the funding or resources available to purchase the necessary forensic 
equipment. For most law enforcement agencies, it is not plausible to always have a 
certified digital forensic technician at the scene, just as it is equally implausible for 
a law enforcement officer to collect all potential sources of digital evidence to be 
sent to an external forensic laboratory for examination (Cohen, 2007; Sachowski, 
2018). For each tier, there are specially trained law enforcement officers who are 
knowledgeable, to various extents, in the digital forensic process. Since all law 
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enforcement personnel (e.g., patrol officer, detective) have the potential to come 
into contact with digital evidence, “each officer has a role to play in the safeguard- 
ing and examination of that material” (Cohen, 2007, p. 3; Holt et al., 2015). 


The Role of Digital Evidence 


In this Digital Age, technology is inescapable in our daily lives, and those who 
commit crimes use technology to their advantage. For a crime to be labeled a 
“computer crime,” the computer must be either the target or tool for com- 
mitting the crime. In other words, a hacker may target and take down a specific 
website whereas child pornography consumers use the Internet as a tool for 
downloading child sex abuse images. However, the computer may also be an 
incidental to a crime, meaning the computer is either involved in the com- 
mission of a crime, or the computer is being used merely as a storage device 
(Maras, 2012). With the globalization of technology and the Internet, there will 
continue to be an increase in the abundance of digital devices that need to be 
analyzed for potential digital evidence. Digital evidence is information that is 
either transferred or stored in a binary form that is relevant to the crime under 
investigation (Casey, 2011; Sachowski, 2018). 

According to Locard’s Principle of Exchange, when there is contact between 
two items, there is an exchange of material (Locard, 1934). That is to say, there 
is an exchange of evidence between the offender and the crime scene — the 
offender will leave something at the scene of the crime (i.e., fingerprints) as 
well as take something away from the scene of the crime (e.g., victim’s DNA). 
Locard’s Principle of Exchange is important because one of the reasons evidence 
is sought after is to link the people, places, and objects involved in the crime. In 
addition, it is important to obtain evidence in order to provide additional leads, 
eliminate potential suspects, identify the suspect, corroborate or refute testi- 
mony, and, most importantly, prove that a crime has been committed, other- 
wise known as corpus delicti (see Girard, 2011). Digital evidence may be the 
“link” between the victim and the offender, just like traditional trace evidence 
(e.g., hair, fibers, blood) in the other forensic sciences. For example, Philip 
Markoff, otherwise known as the craigslist killer, was arrested after investigators 
were able to link the IP address used to send an email to the murder victim to 
Markoff’s home address (see Hansen, 2013). 

We are trying to tell a story — the who, what, when, where, why, and how 
of a criminal or civil offense. In general, a criminal offense (state and federal) is 


the violation of a law in which a crime (e.g., murder, rape) is committed against 
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the state, society as a whole, or a member of society. In criminal cases, the 
plaintiff is either the state or federal government since the state is representing 
not only the victim but also society as a whole. A civil offense is a noncriminal 
offense, usually a dispute, between private parties (e.g., individuals, organiza- 
tions, or businesses). In addition, the punishment in civil cases usually consists 
of monetary damages as compensation, as opposed to incarceration, which can 
only be imposed by criminal law violations (see Allen et al., 2011). Digital evi- 
dence may play a role in both criminal and civil cases. 

Let’s first look at the role of digital evidence in a criminal case — State of 
Florida v. Casey Marie Anthony. In 2008, Casey Anthony was charged with the 
murder of her daughter, Caylee Anthony. At the trial, the prosecutor argued 
that Casey Anthony had used chloroform on her daughter before duct-taping 
her mouth. A computer forensic examiner testified that someone had con- 
ducted Internet searches using the keyword “chloroform” on the home com- 
puter (Hayes, 2011). This digital artifact was determined to be relevant to the 
case, therefore admissible as evidence, since it made the prosecutor’s argument 
that Casey Anthony had used chloroform on her daughter more probable. 

On the stand, Casey Anthony’s mother claimed that she was the one who 
had searched for “chloroform,” and that it was an accident as she had meant to 
search for “chlorophyll.” In a controversial verdict, Casey Anthony was acquit- 
ted of first-degree murder. After the trial, the Orange County Sheriff's depart- 
ment admitted to overlooking evidence of a Google search for “fool-proof 
suffocation” methods the day the daughter was last seen alive (see Associated 
Press, 2012). It is unknown how this uncaptured digital evidence would have 
otherwise influenced the outcome of the Casey Anthony trial. 

In a cannibalism trial in Germany, the digital forensic evidence suggested the 
victim of a murder was actually a willing participant in his own death (see Davis, 
2008; King, 2013). In 2001, 41-year-old Armin Meiwes posted an Internet ad 
on the Cannibal Café forum for a “well-built 18 to 30-year old to be slaugh- 
tered and then consumed.” This ad was answered by 43-year-old Bernd-Jurgen 
Brandes. Searches of Meiwes’ computer reviewed chat logs between the two 
men before they set their in-person meeting on March 9, 2001. In one of these 
chat logs, Meiwes stated, “I would rather kill only those who want to be killed” 
(King, 2013). 

Meiwes videotaped the encounter with Brandes. This video suggested 
Brandes was a “voluntary victim.” After killing Brandes, Meiwes consumed his 
flesh for ten months until police were contacted by a college student who saw 
advertisements for more victims on the Internet, including details about the 
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killing. According to the police, Meiwes was involved in several cannibal forums 
and had been in contact with over 400 people from these Internet forums. In 
addition, Meiwes had received emails from over 200 people who wanted to be 
killed and eaten. After a retrial, Meiwes was convicted of murder and sentenced 
to life. Although this was not a traditional cybercrime case, digital evidence 
revealed a timeline between when the Cannibal Café ad was posted, the chat 
logs between Meiwes and Brandes, and the additional Internet postings that 
eventually led police to the Rotenburg Cannibal (Davis, 2008; King, 2013). 


For more information on the Rotenburg Cannibal, go online to: 
http://www.dailymail.co.uk/news/article-3439299/1-fried-piece-rump- 
steak-ate-sprouts-German-cannibal-ate-gay-lover-permission-describes- 
went-killing-eating-him.html 


Next, consider the role of digital evidence in the civil case Berryman-Dages 
v. City of Gainesville. In 2011, Kim Berryman-Dages (the plaintiff) sued the 
City of Gainesville, Florida (defendant), claiming she was adversely treated and 
demoted at work (Gainsville Fire Rescue service) due to her gender and sex- 
ual orientation. In 2011, Berryman-Dages subpoenaed the computer of a non- 
party to the case, Ms. Thayer, because Ms. Thayer admitted (although later 
denied) to sending an anonymous letter to the plaintiff criticizing her sexual 
orientation. Ms. Thayer was married to the Gainesville Fire Rescue Chief at the 
time this letter was written and at the time of the demotion. The court ruled 
that Ms. Thayer must comply with the subpoena and allow a computer foren- 
sics expert to search her personal computer for digital evidence of the letter in 
question (see Berryman-Dages vs. City of Gainesville, 2011). 

Overall, as evidenced by these cases, the cyberworld is not that different from 
the physical world. Digital evidence is just as important as physical evidence in 
criminal and civil cases. Before law enforcement can examine the digital evi- 
dence, they must be able to identify which digital devices at a crime scene may 
contain evidentiary information. Since the advent of the personal computer, 
the number of people who own computers has increased. For instance, only 
8.2 percent of all households had a computer in the home in 1982 (United States 
Census Bureau, 2014), compared to 77 percent in 2021 (Pew Research Center, 
2021). Additionally, 85 percent of Americans now own a smartphone in 2021, 
compared to 35 percent in 2011 (Pew Research Center, 2021). Unlike the 


early years of digital forensics, identifying electronic evidence has become more 
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Fig. 14.6 An 
older model 
computer 
Source: A 
photo of an old 
IBM Personal 


Computer XT 
released in 1983. 


http://commons. 


wikimedia.org/ 
wiki/File: 
Museum-Enter- 
6094770. JPG? 
uselang=en-gb 
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complicated for law enforcement officers due to the advancement and increased 


use of technology in our everyday lives. 


Types of Hardware, Peripherals, 
and Electronic Evidence 


In 2008, the National Institute of Justice released a report entitled Electronic 
Crime Scene Investigation: A Guide for First Responders, which was intended to 
assist law enforcement with the recognition and collection of electronic evi- 
dence. Traditionally, the most common form of digital evidence is the computer 
system, which consists of hardware, software, and peripheral devices to either 
input (introduce information to the computer), analyze (process), or output 
(produce/display information processed by the computer) data (Britz, 2009). 
Hardware is considered the tangible or physical parts of a computer system 
(e.g., motherboard). Software consists of programs that include instructions 
which tell computers what to do (e.g., operating systems). Peripheral devices 
are externally connected components that are not considered essential parts 


of a computer system, such as scanners, printers, and modems. As shown in 


Figure 14.6, the size and look of computers have changed dramatically over the 
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years, from large, desktop computers (e.g., a legacy system) to personal tablets, 
including the Apple iPad mini, which weighs only 0.75 Ib (341 g). 

These outdated computer systems, devices, or software are often referred 
to as legacy systems (see Seacord et al., 2003). For example, mainframes are 
considered the legacy system for the personal desktop computer. Since tech- 
nology is constantly changing and developing, it may be traditionally easier for 
law enforcement to identify legacy systems (e.g., desktop computers) compared 
to their newer counterparts (e.g., tablets). Therefore, it is important that law 
enforcement remain vigilant of the trends in technology in order to identify 
both legacy systems and more current technology. In fact, legacy systems have 
been targeted for cyberattacks due to their high-value data and easier exploit- 
ability. Legacy systems are end-of-life (EoL), meaning they no longer receive 
patches, updates, and/or cannot be upgraded to a new version — this includes 
security updates (SeetharamaTantry et al., 2017; see Box 14.5). Often legacy 
systems are found in hospital systems in order to meet the demands of digital 
health and are incredibly attractive targets due to their high value, sensitive 
data. Even though these attacks are on the rise, investigating these incidents are 


Box 14.5 Legacy Systems and Vulnerabilities 


Microsoft Issues Rare Legacy OS Patch to Prevent Another Wan- 
naCry: Microsoft released a patch for its outdated Windows XP, and 
other legacy systems, after finding a vulnerability that would allow an RDP 
exploit — much like what happened with WannaCry. 


https://healthitsecurity.com/news/microsoft-issues-rare-legacy- 


os-patch-to-prevent-another-wannacry 


Microsoft released a rare patch for a handful of legacy operating systems 
that it no longer services after finding a critical flaw, to prevent another 
global WannaCry cyberattack. 


Windows 2003, Windows 7, Server 2008, and XP are no longer main- 
tained by the tech giant and no longer receive patches to shore up 
security flaws. However, much of the healthcare sector — and some of 
its medical devices — still heavily use those platforms. 


This article provides a great example of the vulnerabilities of legacy systems. 
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evolution of 
removable 
storage devices 


Source: http:/, 
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incredibly difficult due to the lack of forensic readiness and infrastructure to 
replace and relieve impacted systems (Chernyshev et al., 2019). 

Along with computer systems, law enforcement officers must be able to 
identify the various forms of storage device, which include hard drives and 
removable media (Allen et al., 2011; Sachowski, 2018). First, he 
are data storage devices used for storing and retrieving data. Internal | 
drives are installed inside the computer, whereas external hard drives are 
portable storage devices located outside of the computer and are usually con- 
nected via a USB port. Internal or external hard drives do not need to be con- 
nected to a computer in order for them to have evidentiary value. For example, 
Ryan Loskarn, ex-chief of staff to Senator Lamar Alexander of Tennessee, was 
charged with possession and distribution of child pornography after the PIS 
located an external hard drive hidden on the roof of Loskarn’s home (Marimow, 
2013). According to court documents, investigators saw Mr. Loskarn leaning 
out of a window from the second floor of his home during the raid. Upon fur- 
ther inspection, investigators found an external Toshiba hard drive on the roof 
(Marimow, 2013). 

Another form of storage device is the removable media device, which is 


used to store and share digital information. As shown in Figur« 7, removable 


storage devices have evolved over the years and include floppy disks, zip disks, 
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compact disks (CDs), CompactFlash card, smart media (SM) cards, and USB 
flash drives, to name just a few. 

USB flash drives, or thumb drives, are one of the most common remov- 
able storage devices. They are small, lightweight, and can easily be transported 
and concealed. Other popular storage devices are MicroSD cards, external hard 
drives, and removable solid-sate drives are popular storage devices that are cheap 
and durable. Overall, data storage devices may contain a plethora of electronic 
evidence, but they may also be more difficult to identify due to their small size 
and portability. 

Handheld devices are another source of potential electronic informa- 
tion and include mobile phones, digital multimedia devices (e.g., iPod), digital 
cameras, and Global Positioning Systems or GPS (see Figure 14.8). Handheld 
devices are capable of providing communication (e.g., texting), photography 
(e.g., built-in camera), navigation (e.g., maps), entertainment (e.g., music), and 
data storage (e.g., word processing documents, contacts). 

Many of these devices were initially intended to perform a certain func- 
tion; for example, Apple released the first iPod in 2001 as a portable music 
storage device. Unless the crime involved copyright infringement, a basic first 
responder may not necessarily consider an iPod as a storage device for electronic 
evidence other than music. Law enforcement and computer forensic technicians 
should not be fooled by how these tools may be “traditionally” used as crimi- 
nals have found other ways to use these handheld digital devices. For example, 
in 2004, the ringleader of a car theft gang in London was arrested due to the 
incriminating evidence found on his iPod (see Box 14.6). 

Another popular feature of mobile phones and tablet computers is the app, 
which is a software application typically downloaded by the user that performs 
a certain function, such as gaming, sharing information (pictures), communicat- 
ing, or providing entertainment. According to Price and Dahl (2016), the best 
iPhone apps of 2016 include: Waze, Inbox by Gmail, Cash, Photoshop Fix, and 
Uber or Lyft. Not only do some apps have chat features (e.g., Words with Friends), 
but research shows people are moving away from traditional text messaging 
to the use of mobile messaging apps specifically designed for chatting, such 
as WhatsApp, NextDoor, and encrypted applications like Telegram and Sig- 
nal. These mobile messaging applications replace the short message service 
(SMS), which is the traditional method of sending short messages or “texts” 
between mobile devices through your cell phone provider. Mobile messaging 


applications allow you to send and receive pictures or text messages without 


paying for SMS. 
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Fig. 14.8 The 
evolving state 
of mobile and 
smartphones. 
The handheld 
mobile and 
smartphone 
has evolved 
immensely 

in size and 
function 
Source: http:// 
commons. : 
wikimedia. = 
org/wiki/ 
File:Mobile_ 
phone_evolution. 
Jpg 
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Box 14.6 Digital Evidence and Real-World Crime 
iPod Car Theft Ringleader Jailed 


http://news.bbc.co.uk/2/hi/uk_news/england/london/3932847.stm 


The gang “hijacked” identities to drive off Jaguars, Mercedes, BMWs 
and a Porsche, before selling them. The Vehicle Fraud Unit raided the 


estate and found a mass of incriminating evidence stored on an iPod. 


This article provides an in-depth overview of the ways that digital evidence 
can demonstrate criminal activity of any sort, whether online or offline. 
Readers will gather an appreciation for the ways that digital devices pro- 
vide a record of individual activity in multiple environments and can be 


invaluable for investigators of all crimes. 


Some of these mobile apps are considered anonymous and provide privacy 
online by masking users’ identities and having messages that “self-destruct,” 
meaning they are only visible for a short period of time, like SnapChat, Wickr, 
and Telegram. Overall, these messenger apps are becoming more popular 
because of the growing concerns over wiretapping and surveillance (i.e., record- 
ing phone conversations or reading text messages; Vincent, 2014). Law enforce- 
ment and security experts are well aware that these mobile apps are well suited 
for criminal behaviors, and retrieving digital information during an investigation 
will prove to be difficult (Mengle, 2013). 


For more information on the ways that offenders are using mobile 


apps, go online to: http://archive.indianexpress.com/news/mumbai- 


police-worried-as-more-criminals-take-to-chat-apps/1144802/ 


As previously discussed, crimes increasingly involve at least one digital ele- 
ment (Clifford, 2006), and any digital device, regardless of its primary function, 
may be of evidentiary value. For example, a digital device may store digital 
information (emails) that is relevant to an investigation or be a source of finger- 
prints or trace evidence. Digital evidence comes in many shapes and sizes and 


is no longer limited to traditional desktop computers. Instead, storage devices, 


handheld devices, video game consoles, and computer network devices should 
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be identified for their potential evidentiary value during any criminal investi- 
P y g any 

gation. Taken as a whole, the identification of digital devices may be a com- 

plicated task for law enforcement as technology continues to become smaller, 


more compact, and in some cases, disguised. 


Evidence Integrity 


As noted, the first step of the digital forensic investigation involves the survey/ 
identification of potential sources of digital evidence. Next, the importance 
of evidence integrity will be discussed with regards to forensic soundness and 
authentication. For any crime scene, whether traditional or digital, the evidence 
must be collected in a manner that is forensically sound and preserves the evi- 
dence’s integrity. Forensic soundness refers to the validity of the method for 
collecting and preserving evidence. In digital forensics, evidence is forensically 
sound when it is collected in a way where the data is unaltered, the copied data 
is an exact duplicate of the original, and the examiner documents every part of 
the acquisition process (see Sachowski, 2018; Vacca & Rudolph, 2010). 

Complete transparency is important in the acquisition of evidence. The dig- 
ital forensic technician is responsible for documenting which tools were used 
during the forensic examination as well as the date and time of evidence preser- 
vation. When the examiner is transparent, it is easier for the courts to determine 
the validity of the process, meaning whether the evidence was collected and pre- 
served in a manner so that an accurate conclusion can be drawn (Sachowski, 2018; 
Slay et al., 2009). The validity of digital forensics is assessed by whether or not the 
evidence is admissible in a court of law. The process by which a digital forensics 
examiner preserves and validates the evidence will be discussed in greater detail 
in Chapter 15. The admissibility standards for evidence in a court of law will be 
discussed in greater detail in Chapter 16. For now, remember that it is not the job 
of a digital forensic examiner to “prove” a suspect’s guilt or innocence. Instead, 
the number one priority of the digital forensic examiner is to maintain evidence 
integrity, which is the reliability and truthfulness of the evidence. 


Summary 


Overall, virtually every crime will involve some form of digital evidence, and 
it is up to law enforcement to be able to identify the possible sources thereof. 
However, digital evidence may be collected from not-so-obvious devices, such 
as flash drives disguised as a teddy bear or bracelet (see Figure 14.9). 


Hidden media 
examples. 
During a search 
and seizure, law 
enforcement 
may not 
recognize a 
teddy bear 
keychain or 


bracelet as a 
USB flash drive 


Source: (a) 


Courtesy of 
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With digital devices increasingly being used to target, act as a tool, or provide 
support for criminal activities, it is important for law enforcement to under- 
stand the crime scene in the Digital Age. There is no doubt that technology 
will continue to evolve, meaning law enforcement must be able to quickly 
react to the new and different ways technology may be used for nefarious acts. 
For example, in the near future hackers could remotely hijack an automobile 
through its Internet-enabled features, and use it to commit a crime, such as a 
hit-and-run. Law enforcement agencies would need to be prepared to conduct 
vehicle system forensics in a sound and systematic fashion to support a crim- 
inal charge (Kennedy et al., 2019; Nilsson & Larson, 2009; Wright, 2011). 

Regardless of whether it is a computer, mobile phone, or USB flash drive, 
digital evidence will only be admissible in a court of law if it is collected in a 
forensically sound manner. The importance of being forensically sound cannot 
be reiterated enough, for it can be the deciding factor in any court case, espe- 


cially in our current, Digital Age. 


To see a YouTube video of two hackers hijacking a Jeep, please 
visit: https://www.youtube.com/watch?v=MKO0SrxBC 1xs 
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Discussion Questions 


1. If technology is constantly evolving, will law enforcement and judi- 
cial legislation always be “‘one step behind” the criminal? Are there any 
crimes that do not leave behind digital evidence? 

2. What are some of the problems law enforcement investigators face when 

collecting digital evidence from a crime scene? 

. Garfinkel (2010) argues that the Golden Age of digital forensics is nearing 


iS») 


its end — what do you think is the next stage or era of digital forensics? 


aN 


. Maintaining evidence integrity is one of the most important steps in the 
digital forensic investigation. Provide some examples of how the integ- 
rity of evidence can be discredited during a digital forensic investiga- 
tion. What are some ways that law enforcement can ensure that evidence 


integrity is maintained during a digital forensic investigation? 
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Chapter Goals 


e Explain the two steps in the data preservation process 

e Identify and describe two digital forensic imaging tools 

e Understand the differences between physical and logical extraction 

e Understand the importance of repeatability and reproducibility as 
standards for imaging tools 

e Differentiate between allocated, unallocated, slack, and free space 

e Understand the importance of report objectivity and reducing confir- 
mation bias 


e Identify different data files as potential sources of evidence 


Introduction 


In 1992, the Colorado-based company Gates Rubber filed a lawsuit against 
Bando Chemical Industries, accusing them of stealing trade secret information, 
specifically two computer programs (Gates Rubber Co. v. Bando Chemical Indus- 
try, 1996). Both companies were competing against one another in the industrial 
belts market, and Bando Chemical Industries hired several former employees of 
Gates in 1988. Gates believed that two computer programs were stolen and 
copied by the former employees, who were now using the computer programs 
under a different name. Gates sued for copyright infringement, embezzlement 
of trade secrets, and breach of contract (Gates Rubber Co. v. Bando Chemical 
Industry, 1996). 

In 1992, the judge granted Gates’s computer forensics expert, Voorhees, access 
to the defendant’s computer in order to examine whether or not the defendant 
had maliciously deleted files in an attempt to destroy evidence. However, the 
defendant’s computer forensics expert, Wedig, presented testimony that Voor- 
hees failed to maintain the authenticity of the computer evidence. Wedig stated 
that Voorhees inappropriately copied a computer program (Norton’s Unerase) 
directly onto the defendant’s computer, which “obliterated, at random, seven 
to eight percent of the information which would otherwise have been available 
[and] no one can ever know what items were overwritten” (Gates Rubber Co. v. 
Bando Chemical Industry, 1996). Wedig argued that by not making an image copy 
of the hard drive, Voorhees failed to preserve evidence — and the court agreed. 
In the ruling, the US District Court of Colorado stated, “a party has a duty to 
utilize the method which would yield the most complete and accurate results” 
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(Gates Rubber Co. v. Bando Chemical Industry, 1996). Essentially, the court man- 
dated that all litigants be required to obtain competent computer forensic exam- 
iners in order to preserve and authenticate the integrity of the digital evidence. 

It is clear from the Gates Rubber Co. v. Bando Chemical Industry (1996) case 
that some small portion of potential evidence was lost because the plaintiffs 
computer forensic examiner failed to acquire and examine the defendant’s com- 
puter hard drive accurately. As a result of faulty procedures, no one will ever 
know what 7-8 percent of potential evidence was overwritten. By the end 
of this chapter, you will understand the process by which a digital forensics 
examiner preserves and authenticates digital evidence. In addition, you will 
understand how examiners utilize forensic tools to assist in the preservation and 
extraction of digital evidence. We will explore in detail the examination/anal- 
ysis phase of the digital forensics process by describing how and where poten- 
tial evidence may be uncovered from a digital device, including the ability to 
recover deleted files. Finally, we will conclude this chapter with a discussion 
of report objectivity and forensic confirmation bias; after all, the integrity of the 
report is just as important as the integrity of the evidence itself. 


Data Preservation 


Data preservation is the first step in uncovering digital evidence and occurs 
during the collection/acquisition phase of the digital forensic investigation (see 
Chapter 14). The goal of evidence preservation in digital forensics is to make a 
copy of the original data files for examination in a way that minimizes the pos- 
sibility of any changes being made to the original data files ISO/IEC, 2012; 
Sachowski, 2018). Just as in any forensic science (i.e., entomology, pathology), 
it is important to protect the crime scene in order to preserve the integrity of the 
evidence. Digital evidence needs to be preserved just like other traditional forms 
of physical evidence, such as blood or hair (see Saferstein, 2010). However, 
what makes digital forensics unique is the fact that preservation specifically refers 
to the ability to make a duplicate copy of the original digital evidence. 

Consider the murder of 30-year-old David Guy of southern England. On 
July 3, 2012, the torso of David Guy, which was wrapped in a pink shower 
curtain and stuffed in a plastic bin, was found by a group of students on vacation 
at Portsmouth beach (BBC News, 2013). On July 8, 2012, David Hilder was 
charged with the murder and dismemberment of David Guy. The prosecutor’s 


key evidence was DNA samples taken from Hilder’s cat, Tinker. The pink 


shower curtain that wrapped Guy’s torso was covered in cat hair, and the police 
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were able to extract DNA from the cat hair follicles. Tinker’s DNA was then 
compared to two cat DNA databases at the Veterinary Genetics Laboratory 
at the University of California in the United States and Leicester University’s 
Department of Genetics in the United Kingdom. It was determined that Tinker 
had an uncommon DNA type, and this case became the first time that cat DNA 
was used during a criminal trial in the United Kingdom (Bond, 2013). Hilder 
was sentenced to life in prison on July 30, 2013. 

In this example, the crime scene technicians preserved the cat hairs from the 
pink shower curtain, which ultimately resulted in cat DNA evidence linking 
Hilder to the murder. However, the word preserve in this example does not 
mean that the crime scene technicians, or even the veterinary geneticists, were 
able to make a duplicate copy of the cat hairs. Instead, the crime scene technicians 
and geneticists must alter (thereby damaging) the original cat hairs collected at 
the crime scene in order to test for DNA evidence. Overall, preservation has 
a different connotation depending on whether you are referring to physical or 
digital evidence. Digital forensics is unique in some ways when compared to 
the other forensic sciences since the forensic examination is not limited to the 
original digital device. Instead, there are forensic tools that are capable of mak- 
ing a duplicate, thereby preserving the original source of digital evidence. This 


process is known as imaging. 


Imaging 


Imaging is the initial step in the preservation process of digital evidence. Imag- 
ing is the process of making an exact copy (bit-by-bit) of the original drive 
onto a new digital storage device (Casey, 2011; Maras, 2012; Sachowski, 2018). 
This new digital storage device should be clean, meaning there is no digital 
data present or left over that could contaminate the imaging process (Johnson, 
2006). The process of cleaning a digital storage device to ensure that there are 
no remnants of data present is known as wiping (Wiles, 2007). When imaging 
a drive, the digital forensics tool must be forensically sound. To be forensically 
sound, the digital forensics tool must eliminate the possibility of making any 
changes to the original data source (Casey, 2011). To ensure that no changes 
are made to the original data source, a write blocker is used. A write blocker 
is a device that allows read-only access to all accessible data on a drive, as well 
as preventing anything from being written to the original drive, which would 
alter or modify the original evidence (National Institute of Standards and Tech- 
nology; NIST, 2004; see Figure 15.1). Essentially, the imaging system is sending 
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read-only commands to the drive and not write or modify commands (NIST, 
2004). There are a number of hardware (external) and software (internal) write 
blockers on the market (see www.cftt.nist.gov), although hardware write block- 
ers are often preferred because it is argued that they have a lower failure rate 
(see Falayleh & Al-Karaki, 2013). There are also flash media, SD card, and 
mobile phone write blockers to accommodate different storage types. Hardware 
write blockers are also known as bridges since the digital evidence is con- 
nected to the examiner’s computer through the write blocker (see Figure 15.1; 
Sachowski, 2018; Wiles, 2007). Once the original data device is imaged, the 
next step is for the digital forensic examiner to determine whether or not the 
original and duplicate copies are in fact one and the same. 


Verification 


Verification is the last step in the preservation process of digital evidence. Ver- 
ification establishes the integrity of the digital evidence by proving that the 
duplicate is authentic, meaning a true and unaltered copy of the original data 
source (Casey, 2011; Sachowski, 2018). Digital forensic investigators verify the 
duplicate copies by comparing hash algorithm values (e.g., MD5, SHA). A 
hash algorithm is a set of calculations that takes any amount of data (input) and 
creates a fixed-length value (output), known as a hash, which acts as a unique 
reference number for the original data (Liu, 2011; Sachowski, 2018). Hash val- 
ues are fixed in length and made up of a unique combination of hexadecimal 
digits (which can be the numbers 0-9 or the letters a-f). These hash values act as 
digital fingerprints since they are unique to the original data they reference (Liu, 
2011). Hash values play an integral part in the verification of digital evidence 
because they are extremely sensitive to any changes in the original data, even 
if changing only one bit. The process of creating a hash value from a variable 
amount of data is known as hashing. 

In order to verify that the original data was preserved during imaging, a hash 
value is created for the original drive and its image. If the hash values match, 
the investigator has verified that the original and duplicate copies are one and the 
same. In other words, the digital forensic examiner can now search the dupli- 
cate copy for digital evidence as if searching the original digital device (e.g., cell 
phone). If during the imaging process any changes occur to the original drive, 
the hash values will be different indicating that the image is not an exact copy of 
the original drive. Hash values act as a digital fingerprint for both electronic files 


(e.g., images, documents) and storage media (e.g., hard drive). 
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For example, the National Center for Missing and Exploited Children 
(NCMEC) established the Hash Value Sharing initiative in 2008, which is a 
constantly updated list of hash values for known child sex abuse images/videos 
(see also Chapter 8; Larence, 2011). This list of known hash values is distributed 
to law enforcement who can cross-check the known hash values with the hash 
values from their child pornography cases to determine if there are any “new” 
instances of child sex abuse (i.e., not currently listed by NCMEC). 


For more information on the NCMEC and the CyberTipline, go 
online to: https://www.missingkids.org/gethelpnow/cybertipline 


Currently, the two most common hash algorithms are MD5 and SHA (Casey, 
2011). MD5 (Message Digest Version 5) is a type of hashing algorithm that 
takes a large amount of data of arbitrary length (input) and calculates a unique 
“fingerprint” of this data (known as hashing) expressed as a unique combination 
of digits and letters of a specified length (output). In this case, an MD5 hash 
algorithm produces a 128-bit hash value represented in text as a unique string of 
32 digits and letters (Casey, 2011; Marcella & Menendez, 2008; Rivest, 1992; 
Sachowski, 2018; see Box 15.1). 


Box 15.1 MD5 Algorithm 


An example of how the MD5 algorithm works: 


1 First, the MD5 hash for the original file is calculated. You will receive pay- 
ment after you murder my brother. 6b605a8f218ac7923e173c8082c52845 

2 Any exact copies of the file will produce the same MD5 value. Copy 1: 
6b605a8£218ac7923e173c8082c52845 Copy 2: 6b605a8f218ac7923e173 
c8082c52845 

3 Should any data in the file change, the MD5 value will change as well. 


For example: 


Copy 1: You will receive payment after you murder my brother. 
6b605a8f218ac7923e173c8082c52845 
Copy 2: You will receive payment after you murder my mother. 
21502c8d206b36391a029a7372e87777 
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Another common hashing algorithm is the SHA or Secure Hash Algo- 
rithm, originally created by the National Security Agency in 1993. Using a 
different algorithm, SHA follows the same basic principles as MD5 in that an 
arbitrary amount of information can be uniquely represented by a combination 
of hexadecimal digits, resulting in a “digital fingerprint.” The original version of 
SHA, known as SHA-O, was a 160-bit unique value (Eastlake & Jones, 2001). 
However, the original SHA algorithm was revised to SHA-1 due to unspeci- 
fied cryptographic flaws (see Biham & Chen, 2004), but there are still concerns 
about the vulnerability of SHA-1 to collision attacks (Bitansky & Degwekar, 
2019; Polk et al., 2011; Wang et al., 2005). 

In the hashing world, when two different sets of data (input) result in the 
same hash value (output), a collision has occurred (Bitansky & Degwekar, 
2019; Wang, 2012). For example, a digital forensics examiner collects two dif- 
ferent computers from a crime scene (computers X and Y). Before analyzing 
the evidence, the examiner images each computer to create a copy (X-copy and 
Y-copy). The hash values for X and X-copy should match, just as the hash val- 
ues for Y and Y-copy. However, a collision occurs when hashing a hard drive 
does not result in a unique “digital fingerprint,” but instead, the same hash value 
is produced (e.g., X-copy and Y-copy have the same hash value). 

If a collision occurs, the digital forensics examiner is unable to verify and 
authenticate the imaged drive. Research suggests it is theoretically possible for a 
collision to occur with MD5 and SHA-1 (see Polk et al., 2011; Wang et al., 
2005; Xie & Liu, 2013). However, MD5 and SHA-1 hash algorithms are still 
secure when used together, as the likelihood of both producing collisions has not 
been produced (Schmitt & Jordaan, 2013; Wang, 2012). In response to these 
collision concerns, several additional hash algorithms were created and have 
been approved for use in the digital verification process by NIST alongside MD5 
and SHA-1 (i.e., SHA-224, SHA-256, SHA-384, and SHA-512; Wang, 2012). 


For more on NIST Hashing Function guidelines, go online to: 


https://csrc.nist.gov/projects/hash-functions 


Several court cases have verified the use of hash algorithms in digital forensic 
investigations. For example, in XPEL Technologies Corporation v. American Filter 
Film Distributors (2008), the judge ordered that all of the images made from 
the seized digital devices “be authenticated by generating an MD5 hash value 
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verification for comparison to the original hard drive.” In addition, the Third 
Circuit described the SHA-1 hash value as “more unique to a data file than 
DNA is to the human body” (United States v. Beatty, 2011). The courts have 
also ruled on the degree of accuracy for the use of hash algorithms in digital 
forensics. Specifically, in United States v. Cartier (2008), the Eighth Circuit ruled 
that a “theoretical possibility” ofa collision is not grounds for excluding digital 


evidence authenticated with hash values: 


In arguing that the hash values do not establish probable cause for a search 
warrant, Cartier asserts that it is possible for two digital files to have hash 
values that collide or overlap. The district court heard the factual evidence 
presented on the issue of hash values at the suppression hearing. Cartier’s 
expert testified that hash values could collide and that in laboratory settings 
these values had done just that. However, the government’s expert witness 
testified that no two dissimilar files will have the same hash value. After 
hearing all of the evidence presented by both parties, the district court set- 
tled the factual dispute about hash values in favor of the view offered by the 
government. (p. 5) 


Overall, the imaging and verification process of data preservation is extremely 
important in order to maintain the integrity of digital evidence. Hash values will 
continue to be used as a means for verifying the authenticity of an imaged drive. 
However, the data preservation process relies on the use of digital forensic tools, 
many of which are dual purposed in that they both image and hash hard drives 
(e.g., EnCase, Forensic Toolkit [FTK]). Therefore, data preservation and evi- 
dence integrity rely heavily on the validity and reliability of digital forensic tools. 


Digital Forensic Imaging Tools 


During the pre-forensics era of the early 1980s, few forensic tools were available. 
In fact, only government agencies were developing computer forensic tools 
at this time, and these tools were not made available to other law enforce- 
ment agencies or industry (see Chapter 14). In addition, the courts were con- 
cerned with the accuracy of the computer forensics tools. During the 1980s, 
there were few law enforcement officers “trained” in computer forensics (i.e., 
most were self-declared experts), and the forensic tools that were available were 


expensive, making the collection and examination of computer evidence either 


inaccessible or unaftordable for most law enforcement agencies. However, by 
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the early 2000s, the forensic industry began to develop tools that allowed for the 
examination of computer evidence. This surge in forensic tools became known 
as the Golden Age of digital forensics (Garfinkel, 2010). 

During this Golden Age, it became even more important for law enforce- 
ment to verify that the digital forensic tools were producing reliable evidence in 
order to meet admissibility standards in a court of law (Garfinkel, 2010; National 
Research Council, 2009; see Chapter 16). In response, the NIST, an agency of 
the United States Department of Commerce, launched the Computer Foren- 
sic Tool Testing project (CFTT). According to NIST, there are hundreds 
of digital forensic tools currently being used by law enforcement worldwide, 
encompassing all manner of general and specialized tools for desktop, laptop, 
mobile device, and even vehicle forensics (NIST, n.d.). The purpose of the 
CFTT project is to “provide unbiased, open, and objective means for manufac- 
turers, law enforcement, and the legal community to assess the validity of tools 
used in computer forensics” (NIST, n.d.). In addition, these test results must be 
repeatable and reproducible, both of which are needed to assess “trueness and 
precision” (NIST, 2001, p. 4). 

According to NIST (2001), repeatability is “where independent test results 
are obtained with the same method, on identical test items, in the same labora- 
tory, by the same operator, using the same equipment within short intervals of 
time” (p. 4). In other words, the digital forensics tool replicates the same results 
when using the exact same methodology (1.e., exact duplicate of the testing pro- 
cess). On the other hand, reproducibility is “where test results are obtained 
with the same method on identical test items in different laboratories with dif- 
ferent operators using different equipment” (NIST, 2001, p. 5). Thus, the digi- 
tal forensic tool produces the same results even in a different testing environment. 
Both are necessary in order for the tool’s results to be admissible as evidence in 
a court of law. With so many digital forensic tools available, it is important that 
law enforcement choose those tools that have been tested for repeatability and 
reproducibility by NIST as well as accepted by the court. 

There are a number of both commercial (e.g., EnCase, FTK, WinHex) and 
open source tools (see http://opensourceforensics.org) available for digital foren- 
sic investigations (see Chapter 14). Without a doubt, the two most commonly 
used digital forensic tools are EnCase and FTK. The general acceptance of these 
two tools by the scientific community was even noted in the court case United 
States v. Gaynor (2008). The defendant in this case was charged with possession 
and distribution of child pornography. The defendant requested that mirror 


copies of the seized computer hard drives be made available to his computer 
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forensics examiner. The Adam Walsh Child Protection and Safety Act (2006; 
see Box 15.2), however, prohibited the defense from obtaining copies of the 
child pornography evidence in order to limit distribution of said illicit materials, 
so long as the defense has an ample opportunity to examine the evidence at a 
government facility (United States v. Gaynor, 2008). 

The defendant argued that the Adam Walsh Act violated his “right to ade- 
quately prepare his defense, his right to effective assistance of counsel, and his 
right to a fair trial” (United States v. Gaynor, 2008). The court ruled against 
Gaynor citing that the government had offered to provide a computer that met 


the minimum system requirements to run both FTK®™ and EnCase®. The court 


Box 15.2 The Adam Walsh Act 


Excerpt from the Adam Walsh Act (2006) — Discovery in child pornogra- 
phy cases. The importance of protecting children from repeat exploitation 
in child pornography: 


1 The vast majority of child pornography prosecutions today involve images 
contained on computer hard drives, computer disks, and related media. 

2 Child pornography is not entitled to protection under the First Amend- 
ment and thus may be prohibited. 

3 The government has a compelling State interest in protecting children 
from those who sexually exploit them, and this interest extends to stamp- 
ing out the vice of child pornography at all levels in the distribution chain. 

4 Every instance of viewing images of child pornography represents a 
renewed violation of the privacy of the victims and a repetition of 
their abuse. 

5 Child pornography constitutes prima facie contraband, and as such should 
not be distributed to, or copied by, child pornography defendants or 
their attorneys. 

6 It is imperative to prohibit the reproduction of child pornography in 
criminal cases so as to avoid repeated violation and abuse of victims, 
so long as the government makes reasonable accommodations for the 
inspection, viewing, and examination of such material for the purposes of 


mounting a criminal defense. 


SEC. 504. PREVENTION OF DISTRIBUTION OF CHILD POR- 
NOGRAPHY USED AS EVIDENCE IN PROSECUTIONS. 
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Section 3509 of title 18, United States Code, is amended by adding at 
the end the following: “PROHIBITION ON REPRODUCTION OF 
CHILD PORNOGRAPHY.” 


1 In any criminal proceeding, any property or material that constitutes child 
pornography shall remain in the care, custody, and control of either the 
Government or the court. 

2 A Notwithstanding Rule 16 of the Federal Rules of Criminal Proce- 
dure, a court shall deny, in any criminal proceeding, any request by 
the defendant to copy, photograph, duplicate, or otherwise reproduce 
any property or material that constitutes child pornography, so long as 
the Government makes the property or material reasonably available 
to the defendant. 

B For the purposes of subparagraph (A), property or material shall 
be deemed to be reasonably available to the defendant if the Gov- 
ernment provides ample opportunity for inspection, viewing, and 
examination at a Government facility of the property or material by 
the defendant, his or her attorney, and any individual the defendant 


may seek to qualify to furnish expert testimony at trial. 


cited that EnCase and FTK are the most commonly used digital forensic tools 
(Leehealey et al., 2012; United States v. Gaynor, 2008). 


EnCase® 


EnCase® is a digital forensics tool created by Guidance Software in 1997 (Amb- 
hire & Meshram, 2012). The tool is considered a leading product in digital 
forensics, with clients including government agencies (e.g., United States 
Department of Justice), law enforcement (e.g., Korean National Police, London 
Metropolitan Police), and industry (e.g., Microsoft, Boeing; Opentext, n.d.). 

EnCase is capable of acquiring data from a variety of digital devices, includ- 
ing smartphones, hard drives, and removable media (e.g., thumb drives). This 
automated tool can image the drive, without altering its contents, and then 
verify that the image is an exact copy of the original drive. EnCase is capable 
of searching the unallocated space as well as locating hidden data and deleted 
files (Maras, 2012). As shown in Figure 15.2, EnCase displays a user-friendly 
Windows interface (Garber, 2001). 
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In the United States, the first court case specifically addressing the validity 
of EnCase was State (Ohio) v. Cook (2002; Guidance Software, 2003). The 
defendant, Brian Cook, was found guilty of child pornography possession after 
his brother-in-law, Brian Brown, stumbled across a folder on Cook’s com- 
puter that contained sexualized images of children. After notifying the Ketter- 
ing Police Department, a search warrant was executed and the police seized 
several hard drives, diskettes, and computer peripheral devices from the Cook’s 
residence (State v. Cook, 2002). According to court documents, a Detective 
Driscoll identified over 14,000 pornographic images from a forensic copy of 
Cook’s hard drive that was created using the digital forensics tool, EnCase. 

At trial, the defendant challenged the “admission of any materials connected 
with the mirror image on the basis that the state did not establish the relia- 
bility of the mirror image” (State v. Cook, 2002, p. 8). The Ohio appellate 
court upheld the validity of the EnCase software since Detective Driscoll was 
trained to use EnCase, and he described the process of imaging and verifying 
the duplicate copy. The Court stated, “there is no doubt that the mirror image 
was an authentic copy of what was present on the computer’s hard drive” (State 
v. Cook, 2002, p. 9). International courts, including Singapore, Australia, and 
Canada, have also upheld the validity of digital evidence retrieved by EnCase 
(Guidance Software, 2003; see Box 15.3). 

EnCase has been involved in a number of high-profile cases. In 2002, 
San Diego computer forensic examiners uncovered child pornography after 
examining 50-year-old David Westerfield’s computer and removable media 
files using EnCase (McKay, 2002). The child pornography evidence was 


Fig. 15.2 
Screenshot 

of EnCase 
Imager created 
by Guidance 
Software 


Source: 
Screenshot 
courtesy of Alissa 
Gilbert, a PhD 
student and 
Instructor in the 
Cyber Forensics 
program 

at Purdue 
University. 
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Box 15.3. The Murder Trial of Ler Wee Teang 


Excerpt from: Murder Trial of Public Prosecutor v. Anthony 
Ler Wee Teang (Singapore) 


https://www.supremecourt.gov.sg/docs/default-source/module- 
document/judgement/2001-sghc-361.pdf 


On 20 October 2001, SI [Special Investigator] Murad used a special 
forensic software, Encase Ver 3.15a, to make a complete physical copy 


of every bit of data located in the hard disk of that same computer. 


presented as a possible motive during the trial (Congressional Record, 
2005), and in 2003 David Westerfield was sentenced to death for the mur- 
der and kidnapping of 7-year-old Danielle Van Dam. In the Richard Reid 
case, also known as the “Shoe Bomber,” EnCase uncovered a farewell email 
that was sent from the Al-Qaeda Shoe Bomber to his mother two days 
before he attempted to blow up United Airlines Flight 63, which was car- 
rying 197 passengers and crew, departing from Paris to Miami (McKay, 
2002; Shannon, 2002). 


For more information on how EnCase was used in the Shoe 
Bomber case, go online to: http://content.time.com/time/nation/ 
article/0,8599,249418,00.html 


In addition, the international community has accepted digital evidence from 
EnCase in both civil and criminal cases (EC-Council, 2017). In Wales, EnCase 
software uncovered electronic evidence in the case of Dheej Keesoondoyal 
who was an accountant at BP/Safeway. He set up a fictional company, Global 
Construction and Electrical Contractors, and created a series of false invoices 
and authorized payments to the companies in excess of £1.5 m (approximately 
$1.86 million); (WalesOnline, 2004). Keesondoyal was found guilty and sen- 
tenced to four years in prison (Guidance Software, 2014). 

In India, eight policemen, one civilian, and five terrorists were killed during 
a terrorist attack on the Parliament of India in New Delhi in 2001 (Guidance 
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Software, 2014; Negi, 2005). Mohammed Afzal received a death sentence for 
orchestrating the terrorist attack. EnCase software was used to identify evidence 
that Afzal’s laptop was used to make the fake identity cards that were found on 
the terrorists’ bodies killed in the attack (Guidance Software, 2014; Negi, 2005). 
Overall, EnCase continues to have a presence in digital forensic cases in both 


the United States and international community. 


For more information on the Mohammed Afzal case, go to: 
https://cyberblogindia.in/state-v-mohd-atzal/ 


Forensic Toolkit® (FTK®) 


FTK® is another commercial software application commonly used in digital 
forensic investigations, and was created by AccessData. AccessData was founded 
in 1987 and is considered a pioneer in digital forensics and cybersecurity 
(AccessData, 2021). Currently, there are more than 130,000 FTK users in law 
enforcement, government, and industry worldwide (AccessData, 2021.). Like 
other digital forensic software, FTK is capable of imaging a hard drive, scanning 
slack space, and identifying steganography; however, it is also capable of crack- 
ing passwords and decrypting files (Threat Analysis, 2017). 

In its current version, FTK 7 has new capabilities, including Microsoft 
SQL Server Support, Cloud Based Relational Database Services (RDS) Sup- 
port for Amazon Web Services (AWS), and a Python Scripting user inter- 
face (AccessData, 2018; see Figure 15.3). In addition, FTK includes Explicit 
Image Detection (EID) which sorts through the images on a digital device 
and flags the ones that are more likely to be child pornography by using algo- 
rithms that search for flesh tones, certain shapes, and orientations (Access- 
Data, 2014). This feature speeds up the investigation process by allowing 
computer forensic examiners to identify illicit images more quickly. For 
example, a one terabyte (1 TB) external hard drive is capable of holding up 
to a million high-quality photos (the exact number depends on the camera’s 
specifications), which is a lot of images to search through during a digital 
forensic investigation. 

The first court case to establish the validity of FTK was the civil law- 
suit Gutman v. Klein (2008). During a five-year discovery period, the judge 
ordered the defendant, Zalman Klein, to assist the opposing counsel with 


locating all of his personal computers. According to court documents, prior 
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Fig. 15.3 
Screenshot 

of Forensic 
Toolkit (FTK) 
created by 
AccessData 


Source: 
Screenshot 
courtesy of Alissa 
Gilbert, a PhD 
student and 
Instructor in the 
Cyber Forensics 
program 

at Purdue 
University. 
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to the date that he was to surrender all of his computers to the opposing 
counsel’s computer forensic examiner, Klein attempted to alter and destroy 
digital evidence on his laptop. Klein finally turned over his computer to 
the plaintiffs computer forensic expert, Douglas Vitale, who noticed that 
the laptop was “hot to touch and a screw was missing from the hard drive 
enclosure” (Gutman v. Klein, 2008). Vitale forensically imaged the defend- 
ant’s computer using the current version of FTK (vers. 2.2) at that time, and 
testified that it was an “‘accepted tool under industry standards to perform the 
imaging and create a forensic duplicate of the hard drive” (Leehealey et al., 
2012, p. 10). 

The forensic analysis revealed a number of large-scale modifications to 
the Klein laptop, including deleted files and altered time/date stamps. In 
addition, the browser history revealed that the defendant downloaded a file 
from the Internet that was meant to overwrite space and erase data. During 
the forensic examination, Vitale’s computer battery malfunctioned and 
saved the imaged hard drive as occurring on January 1, 2000 instead of 
the actual date, December 8, 2005. In Gutman v. Klein (2008), the defense 
argued that the inconsistent date suggested that the examiner had failed to 
authenticate the evidence. The court, however, ruled that since the hashes 
used by FTK matched and chain of custody was maintained, the evidence 
was authentic despite the inconsistent dates (Leehealey et al., 2012). Since 
the defendant destroyed and altered evidence, the judge recommended a 
default judgment, which is an automatic ruling in favor of the plaintiff (Gut- 
man v. Klein, 2008). 
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For more on this case, go online to: https://www.ediscoverylaw. 
com/2008/11/magistrate-judge-recommends-default-judgment-in- 


favor-of-plaintiffs-and-for-defendants-to-pay-all-reasonable-costs- 


related-to-discovery-dispute/ 


EnCase and FTK are both examples of digital forensic imaging tools, mean- 
ing the tools are designed to make an exact copy of the entire hard drive (bit 
for bit) so the investigator can examine the duplicate rather than the original 
evidence. To ensure reliability, NIST established specific criteria, as recommen- 
dations, for imaging tools used in digital investigations: 


1 the tool shall make a bit-stream duplicate or an image of an original disk 
or partition, 

the tool shall not alter the original disk, 

the tool shall be able to verify the integrity of a disk image file, 

the tool shall log I/O errors, and 


nab WwW Nd 


the tool’s documentation shall be correct 
(NIST, 2001, p. 4; see Lyle, 2003) 


In general, the digital imaging tool must be able to make an exact copy (without 
altering the original) and verify that the duplicate and original copy are exactly 
the same (e.g., compare hash values). Although not required, NIST recom- 
mends that two duplicate copies be made so that one is left undisturbed while 
the other is considered a “working copy” which is examined during the digital 
forensic investigation. 

However, sometimes the hash values for the duplicate and original copy will 
not match, which is why it is important for the tool to keep an I/O error log. 
I/O errors mean input/output errors, and these errors are often the result of a 
bad sector on the hard drive. A sector is the smallest physical storage unit on 
a computer disk drive and is almost always 512 bytes (Marcella & Menendez, 
2008). Data files are assigned to the different sectors by the file system. File sys- 
tems are simply the way in which data is organized and retrieved on a computer 
drive, and each piece of data is called a file (Bunting, 2008). So, if there is a 
damaged sector, the imaging tool will not be able to read the data stored in that 
sector. If the imaging tool is unable to read the sector, it is not possible to copy 
bit for bit all of the information on the hard drive (see Figure 15.4). Therefore, 


bad sectors will result in mismatching hash values. 
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Fig. 15.4 (a) and (b) Diagram of a hard drive, sectors, and clusters 

Source: http://commons.wikimedia.org/wiki/File:Open_hard-drive.jpg http://commons.wikimedia.org/ 
wiki/File:Disk-structure.svg 

A Data is stored on circular tracks 

B A disk is divided into pie-shaped sectors 


C A sector of a track 
D The part of a track that contains two or more adjacent sectors form a cluster 
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The hard disk platter is divided into sectors, which is where the data is 
stored. The data can be read on good sectors (010101), but the data on a bad 
sector cannot be read. 

If the imaging tool maintains an error log identifying the bad sectors, it 
will be possible for the examiner to verify that the original and duplicate copy 
are in fact the same despite the mismatching hash values. It is also impor- 
tant for the imaging tool to document the examination process (e.g., time, 
action performed). Overall, both EnCase and FTK meet the NIST require- 
ments for imaging tools and both have undergone scrutiny in a court of law. 
Digital forensics tools are not infallible, however, so the examiner should 
always proceed with caution and verify any spurious results. For example, it 
may be necessary for one digital forensics examiner to repeat the analyses of 
another examiner in order to verify the findings independently (Casey, 2011; 
Sachowski, 2018). 


Uncovering Digital Evidence 


Once the digital drive is imaged and verified, the digital forensic investigation 
moves into the examination/analysis stage. The examination phase of the 
digital forensic investigation is concerned with the recovery or extraction of 
digital data. Data recovery or extraction refers to the process of salvaging 
digital information (Casey, 2011; Kavrestad, 2020). In general, there are two 
types of extraction: physical and logical (Britz, 2013; Cahyani et al., 2017; 
NIJ, 2004). 

The physical extraction phase identifies and recovers data across the entire 
physical drive regardless of the file systems present on the drive (Cahyani et al., 
2017; NIJ, 2004). As mentioned previously, file systems are the way in which 
data is stored and retrieved on a computer drive, and each piece of data is called 
a file (Bunting, 2008). The file system dictates how the computer manages 
and keeps track of the name and location of every file on a computer (Maras, 
2012). For example, FAT and NTFS are the file systems used by certain Micro- 
soft Windows operating systems (e.g., Windows 98, Windows XP). Overall, a 
physical extraction pulls all of the digital data from a computer hard drive but 
does not take into account how the data was stored on the drive. On the other 
hand, logical extraction refers to the process of identifying and recovering 
data based on the file systems present on the computer hard drive (Cahyani 
et al., 2017; NIJ, 2004). Each extraction phase involves different methods for 


acquiring potential digital evidence. 
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Fig. 15.5 
Keyword 
searching 
through forensic 
software. 
Example of 
keyword search 
for the last 
name “Bennett” 
using the 

digital forensics 
software 
WinHex 


Source: 
Screenshot 
courtesy of 

Lt Dennis 
McMillian, the 
University of 
Alabama Police 
Department 
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Physical Extraction 


According to the NIJ (2004), there are three methods of physical extraction: 
keyword searching, file carving, and extraction of the partition table and unused 
space on the physical drive. When performing a keyword search, the digital 
forensic examiner is able to look for a word or series of words (i.e., phrase) 
in the entire physical drive regardless of the file systems. For example, the 
examiner may be able to search for a specific name (e.g., “Donna Smith’) to 
determine if there is any evidence that the suspect contacted this person. In 
addition, the digital forensics examiner can conduct a nested search, which is 
a “search within a search” (see Brown, 2003). In this case, once all of the data 
that contains the name “Donna Smith” is located, the examiner can conduct 
an additional keyword search (e.g., “murder for hire”) within that data, which 


further narrows the results. There are several digital forensics tools and software 


packages available on the market for conducting a keyword search (e.g., Sleuth 
Kit, Autopsy, FTK; see Figure 15.5). 

File carving is another physical extraction method for data recovery 
(Kavrestad, 2020; NIJ, 2004). According to Casey (2011), file carving is the 
“process of searching for a certain file signature and attempting to extract the 
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associated data” without regard for the file systems (p. 445). This means extract- 
ing pieces of information from a larger dataset without taking into consideration 
how the files were stored on the computer. File carving is a great method for 
recovering files when the file allocation table is corrupt or a file has been deleted 
because in both cases there will no longer be an entry in the directory for that 
file’s location (Beek, 2011; Cantrell & Runs Through, 2020). 

Instead of relying on the file system to locate the file, the forensic examiner 
searches for fragments of the file according to its file signature. A file signature 
is used to identify the content of a file, which in this case describes common file 
headers. File signatures can be used to locate and salvage deleted files (Cantrell 
& Runs Through, 2020; Casey, 2011). A header is the first few bytes that 
mark the beginning of a file, whereas the footer, also known as the trailer, is 
the last few bytes that mark the end of the file. All files contain a header and 
usually a footer, whether they are Word documents or JPEG files (see Sammes 
& Jenkinson, 2000). Table 15.1 contains a list of common file signatures, also 
known as magic numbers, which can vary greatly in value and length. 


For more information on common file signatures, go online to: 


www.garykessler.net/library/file_sigs.html 


In the file carving process, the digital forensics examiner will first identity 
a particular header of interest (e.g., FF D8 FF EO) and then locate the footer 
(e.g., 00 3B) in order to extract the information in between. By extracting the 
information in the middle, the examiner is essentially carving out a block of data 
(i.e., a file) from a larger set of raw data. In the example shown in Figure 15.6, 
the examiner was using the forensics software tool WinHex to search for JPEG 
headers. Common digital forensics tools that are capable of file carving include 
EnCase, FTK, Scalpel, and Foremost. 


Table 15.1 Common file signatures 


FF D8 FF Jpg. Jpeg JPEG 

4D 5A Exe DOS executable file format 
25 50 44 46 Pdf PDF document 

52 49 46 46 nn nn nn nn 57 41 wav Waveform Audio File Format 
DO CF 11 EO Doc Microsoft Office documents 
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Fig. 15.6 File 
carving. 
Example of 
file carving 
using a file 
header search 
for “JPEG” 
with the digital 
forensics 
software 
WinHex 


Source: 
Screenshot 
courtesy of 

Lt Dennis 
McMillian, the 
University of 
Alabama Police 
Department 
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The last method of physical extraction is known as partition recovery, which 


is the process of evaluating the partition table and the unused space on the physical 
drive (NIJ, 2004). Evaluating the partition tables is considered a physical extrac- 
tion method because all partition tables conform to a standard layout regardless of 
the operating system. First, when a hard drive is installed in a computer, the must 
be partitioned before it can be used. As discussed in Chapter 14, a hard drive is 
simply a data storage device for storing and retrieving data. Before you can begin 
to store information on a hard drive, it must be organized into partitions, which 
act similar to storage bins in the real world. Partitioning determines how much 
space is allocated to each storage bin, or partition. Thus, the process of dividing 
up the hard drive into separate storage spaces, known as partitions, is referred to 
as partitioning (Kavrestad, 2020; Marcella & Guillossou, 2012). 

The process of partitioning may be explained by using a house or apartment 
analogy. An apartment or house is similar to a hard drive in that there is a certain 
amount of space that is available for storage. The internal space of a dwelling 
can be divided based on the square footage to create separate rooms that vary in 
size. In this respect, a house or apartment is essentially partitioned. These separate 
rooms can then be made to “store” different things, so they act like partitions. 
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For example, a house usually has a designated room/space for a kitchen and 
bathroom, and we tend to store cooking utensils in the kitchen and toiletries in 
the bathroom. Thus, partitioning is really just the process of creating individual 
or designated storage space (i.e., partitions) within a larger storage unit (i.e., 
physical drive). 

At the beginning of the data on each disk is a partition table. The partition 
table acts as a reference description for how the operating system has divided the 
hard drive into partitions (Kavrestad, 2020; Marcella & Guillossou, 2012). They 
contain important information, such as the sizes and locations of the partitions 
and the file systems operating within each of these partitions on the hard drive. 
These partition tables can reveal to a digital forensics examiner whether or not 
space on the hard drive is hidden or contains leftover data from prior partition- 
ing. For example, free space is that portion of the hard drive that has yet to be 
assigned to a partition (Kavrestad, 2020; Mandia & Prosise, 2003). Partitions 
contain both allocated space (i.e., written to) and unallocated space (ie., 
not written to) on a hard drive, and any non-partitioned space on the hard drive 
is free space. Many of the digital forensics software tools available today auto- 
matically identity partitions, which simplifies the partition recovery process for 
investigators (e.g., EnCase, FTK, NTFS Recovery, Partition Table Doctor). 


For more information, go online to: www.symantec.com/connect/ 


articles/maintaining-system-integrity-during-forensics 


Logical Extraction 


As discussed previously, logical extraction refers to the process of identifying and 
recovering data based on the file systems present on the computer hard drive 
(NJJ, 2004). Unlike the physical extraction method, logical extraction takes into 
consideration the operating system (e.g., Windows XP) and file systems (e.g., 
NTFS) installed on the drive. During logical extraction, data may be retrieved 
from a variety of sources, such as active files, deleted files, file slack, and unallo- 
cated file space (Kavrestad, 2020; NIJ, 2004). In addition, logical extraction may 
recover digital evidence from hidden files, password-protected files, encrypted 
files, and steganography. 

Active files are existing files that are currently available on a hard drive, 
meaning they have not been deleted. On the other hand, a deleted file is a file 
whose entry has been removed from the computer’s file system (e.g., FAT) so 
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Box 15.4 Example of Partition Recovery 


Ryan Jaye is a child pornography user who stores all of his images and vid- 
eos on his computer hard drive. In an attempt to conceal his crimes, Ryan 
Jaye created two partitions on his 80 GB hard drive so that his day-to- 
day non-criminal activity would be separate from his child pornography 
activity. The hard drive was partitioned so that 60 GB were dedicated to 
non-criminal activities whereas 20 GB were dedicated to his child por- 
nography collection. Unfortunately for Ryan, law enforcement was well 
aware of his criminal activity. When Ryan Jaye became suspicious that 
he had been discovered, he decided to delete the second partition that 
contained all of the child pornography. By deleting the second partition, 
this space was no longer accounted for by the partition table, and Ryan 
believed that he had concealed his crimes. 

With an authorized warrant in hand, law enforcement seized Ryan 
Jaye’s computer in order to conduct a digital forensic investigation. The 
digital forensics investigator, Chat Stellar, examined the imaged hard drive 
using digital forensics software to identity the partition table. However, 
the partition table revealed only one partition (60 GB), leaving 20 GB 
of the hard drive unaccounted for. Luckily for law enforcement, when a 
partition is deleted, the data within that partition remains until it is over- 
written. Therefore, since Chat Stellar was able to identity space on the 
hard drive which was unaccounted for, it is likely that further forensic 
analysis would be able to recover the deleted partition. 

Overall, understanding how a partition table can reveal information 
about the layout of a suspect’s hard drive is extremely important as a phys- 
ical extraction method for uncovering digital evidence. 


that this space is now marked as usable again. As noted in Figure 15.4, a sector 
is the smallest physical storage unit on a computer disk drive, and a cluster is 
two or more consecutive sectors. It is the job of the computer’s file system to 
allocate space (i.e., sectors) to store information (see Box 15.4). 

The space allocated to these clusters is fixed in length depending on the 
operating system, but the files saved to these clusters rarely equal the same size 
of the allocated space. Consider a file that is 800 bytes in size. As previously 
discussed, a sector usually stores 512 bytes of data. So, two sectors would be 
needed in order to store an 800-byte file. If two consecutive sectors are not 
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available, the file system must allocate the data to another sector on the drive. 
A file that is stored in nonconsecutive sectors is considered to be fragmented 
(Kavrestad, 2020; Marcella & Menendez, 2008). As with the example, the 800- 
byte file is smaller than the two sectors allocated to store its data (512 bytes + 
512 bytes = 1024 bytes). Therefore, this leftover space between the end of the 
file and the end of the last storage unit for that file is known as file slack or 
slack space (Kavrestad, 2020; Scientific Working Groups on Digital Evidence 
and Imaging Technology, 2011). In other words, file slack or slack space is the 
leftover area not used between the current allocated file and the end of the last 
cluster in which the file is stored. In the current example, there would be 224 
bytes of slack space. 

As noted earlier, file systems dictate how the computer manages and keeps 
track of the name and location of every file on a disk. For example, FAT32 
(File Allocation Table) is the type of file system used in older versions of 
Windows operating systems (e.g., Windows 98, Windows ME), whereas NTFS 
(New Technology File System) is the later file system for the Windows NT 
operating systems (e.g., Windows NT 3.1, Windows XP; Marcella & Menen- 
dez, 2008). FAT32 identifies where on the hard drive a particular file is stored, 
or which clusters have been allocated to that file. Compared to the older ver- 
sions (e.g., FAT12, FAT16), FAT32 manages the space on a hard drive more 
efficiently by using smaller cluster sizes, which reduces slack space (Britz, 2013; 
Kavrestad, 2020). 

In contrast, NTFS offers better security since it can restrict access to spe- 
cific partitions or files on a hard drive, making it more difficult to recover 
files (Kavrestad, 2020; Marcella & Menendez, 2008). However, NTFS creates 
a Master File Table (MFT), which contains information about all of the files 
and folders on a drive. The MFT can provide valuable information to a forensic 
examiner, including file type, size, and the data/time of creation and modifica- 
tion (Carrier, 2005; Kavrestad, 2020). 

To better understand sectors, clusters, and file slack, consider the two-car 
garage analogy. A two-car garage can be considered a cluster that is made up of 
two separate garages (sectors). In this two-car garage, we can fit different models 
of vehicles, all of which vary in size. In fact, an individual could choose to store 
one or two larger vehicles or several smaller vehicles, such as motorcycles or 
dirt bikes. The space allocated to the two-car garage remains the same; the only 
thing that changes is what is being stored in the garage. So, if an individual can 


only afford to buy one car, there will be space left open in the two-car garage. 


This leftover space is the “file slack” or “slack space” in this analogy. 
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Intuitively, it makes sense why a digital forensics examiner would be inter- 
ested in the active files and deleted files on a hard drive. However, why would a 
digital forensic examiner be interested in this leftover space on a hard drive? The 
file slack can be a rich source of information because this leftover space does not 
remain unused. The computer’s operating system wants to use all available space 
in a cluster, so it will either write random bits of data (known as padding) or store 
whatever bits of old data remain in the unused sectors. In general, file slack can 
be broken down into either RAM slack or drive slack (Barrios & Signori, 2010). 

If there is unused space between the end of the last file and the end of 
the sector, the operating system will store bits of information from its Ran- 
dom Access Memory (RAM). The RAM is considered “working memory” 
because it stores that part of the data that is currently being used by the com- 
puter. In addition, RAM is considered volatile in nature, meaning the data 
disappears when the computer is powered off (Maras, 2012; see Box 15.5). 
When randomly selected data from RAM is stored in the file slack, it is known 
as RAM slack (Barrios & Signori, 2010; Kavrestad, 2020). In contrast to RAM, 
RAM slack is not volatile since these random bits of data are written to the hard 
drive. Thus, it is possible for RAM slack to contain important information, such 
as network login names and passwords. 

If there is any unused space between the start of the next sector and the end 
of the cluster, the operating system uses this space as drive slack by storing old 
information that was once available on the storage device (Barrios & Signori, 
2010). The operating system does not write any new information to that space, 
so old information that was once stored there will remain until those sectors are 
filled with new file data. For example, the drive slack could contain fragments of 
deleted word processing documents or old emails. Thus file slack is a gold mine 
of information in digital forensics because it contains either randomly dumped 


Box 15.5 Data Sectors 


In this example, the cluster contains four sectors. Each sector is able to 
hold 512 bytes of data. So, if the file system assigns a data file that is larger 
than 512 bytes of data, the file will be stored in the consecutive sectors. 


Sector 1 Sector 2 Sector 3 Sector 4 
(512 bytes) (512 bytes) (512 bytes) (512 bytes) 
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Box 15.6 Slack Space 


As shown in this example, a data file was stored in Sector 1 and in part of 
Sector 2. The unused space from the end of the data file to the end of the 
cluster is known as slack space or file slack. There are two types of slack 
space: RAM slack and drive slack. The remaining space between the end 
of the data file and the end of Sector 2 is called RAM slack, and from the 
beginning of the next sector to the end of the last sector is known as drive 
slack (see Barrios & Signori, 2010). 


Data file RAM slack Drive slack Drive slack 


Sector 1 Sector 2 Sector 3 Sector 4 


information from the computer’s memory (i.e., RAM slack) or remnants of 
previously deleted files (i.e., drive slack; see Box 15.6; Kavrestad, 2020). 

Data may also be retrieved from unallocated space in the partitioned hard 
drive during a logical extraction. Unallocated space is the unused portion of 
the hard drive that the operating system can write to (Casey, 2011; Kavrestad, 
2020), and may best be thought of as unallocated clusters (Mallery, 2007). Essen- 
tially, unallocated space is that part of the hard drive that is not currently storing 
any files, but unallocated space is not empty per se. When a file is deleted, the 
entry in the file system that used to reference the now deleted file is removed 
so that the operating system is aware that this space is now unallocated. Dur- 
ing this process the actual file is not deleted, just the entry in the file system. 
The “deleted” file, or parts of it, will remain in the unallocated space until it is 
completely written over by a new file. Therefore, it may be possible to extract 
information from deleted files that have yet to be overwritten in the unallo- 
cated space of a hard drive (Kavrestad, 2020; Mallery, 2007). There are several 
forensic tools available for logical extraction of the unallocated space of a hard 
drive, such as WinHex, EnCase, FIK, and DataLifter. 


For more information on how deleted files are created and stored 
on your computer, go online to: https://www.giac.org/paper/gsec/ 
1020/secure-file-deletion-fact-fiction/102029 
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Logical extraction may also recover digital evidence from hidden files, pass- 
word-protected files, encrypted files, and steganography. Hidden files are files 
that have been manipulated in such a way as to conceal the contents of the 
original file (Britz, 2013). For example, an individual attempting to hide a file 
might try to alter the file extension. File extensions are that part of the file’s 
name that tells the operating system what program to use when you want to 
open it (Kavrestad, 2020; Savage & Vogel, 2009). Common file extensions are 
.doc (Microsoft Word documents), .pdf (Adobe portable document format), 
and .mp3 (MP3 audio file). 

One easy way to conceal or hide a file is to change the file extension so that 
the operating system will use the wrong program to open the file, resulting in an 
error. To conceal a Microsoft Word document (.doc), the file extension could be 
manually changed from .doc to .mp3 (MP3 audio file). If someone double-clicks 
on the file to open it, the operating system will fail to open the file because it 
treated it as an audio file rather than a Word document. Since files also contain 
a file header or signature appearing at the beginning of the file, it identifies the 
file type to the operating system. File headers can be identified and compared to 
the file extensions using basic digital forensics tools. Any files with mismatched 
headers and extensions can then be flagged for further analysis. 

According to Casey (2011), two of the greatest obstacles for digital forensics 
examiners are password-protected and encrypted files. Password-protected 
files are locked files that require a password to gain access, which prevents 
other people from opening or modifying these files (Britz, 2013). For password- 
protected files, digital forensics examiners use specialized cracking dictionar- 
ies and software in order to circumvent the protection, such as AccessData’s 
Distributed Network Attack (DNA) and Password Recovery Toolkit (PRTK; 
Casey 2011; Wiles, 2007). Unfortunately, efficient password cracking can 
require expensive hardware and methodology that is not available to forensic 
practitioners. There may be password cracking techniques on the horizon, such 
as Probabilistic Context-free Grammars (PCFG) password guessing and Markov 
models to greatly improve cracking passwords (Aggarwal et al., 2018). 

Similar to password-protected files are encrypted files in that both are con- 
cerned with privacy. Encryption is the process of transforming information 
(plaintext) so that it is no longer legible (ciphertext) by using a mathematical algo- 
rithm (Casey, 2011; Kessler, 2000; Sammons, 2012). In other words, plaintext 
(i.e., the legible message) is transformed into ciphertext (an illegible message) 
through the use of a cipher, which is a mathematical formula (algorithm) that 
uses a set of rules for transforming the message (Kavrestad, 2020; Kessler, 2000). 
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Most encryption programs require an access key, which is essentially a 
password that unlocks the file so that the same algorithm that encrypted the 
information is now used to decrypt it (see Box 15.7). By entering the access 
key, the same algorithm used to encrypt the illegible message (ciphertext) now 
decrypts it back into the original legible message (plaintext). 

Using encryption is not uncommon; it is commonly used by businesses 
(e.g., banks) and government agencies (e.g., NSA), both of which have vested 
interests in protecting privacy. The strength of encryption programs varies, and 
sometimes digital forensics examiners can use specialized programs to break 


encryption. However, there are encryption programs that have proven resilient 


Box 15.7. An Example of Encryption 


The plaintext message (original) states, “Hello! Pretty Good Privacy (PGP) 
is the most widely used non-proprietary email encryption program.” 
However, once the plaintext message is encrypted, it is illegible (cipher- 
text). Notice the subject line is not encrypted. In order to decrypt the 
message, you will need to enter the access key to unlock the decryption. 


e098 Subject line is not encrypted 


a —— Options 


=o dmcacmicor | 


Format 


"(fej Background Picture Permissions Security © Scrapbook Reference ~ Spelling © 


From: University of Alabama (Seigfried-Spellar, Kathryn) oy 
To: | Microsoft Office User i) 

Ce: 3) 
Bcc: i) 
Subject: [Subject line is not encrypted | 


& This message will be encrypted. 


Hello! 
Pretty Good Privacy (PGP) is a most widely used non-proprietary email encryption program. 
For more information, visit: http://www.openpgp.org 


All the best, 
Dr. Seigfried-Spellar| 


Figure 15.7a The plain text message 
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‘e000 Subject line is not encrypted - Inbox 


Subject line is not encrypted 
Seigfried-Spellar, Kathryn 


Sent: Tuesday, June 10, 2014 at 12:18 PM 
To: Seigfried-Spellar, Kathryn 


—---BEGIN PGP MESSAGE----- 
Version: GnuPG/MacGPG2 v2.0.17 (Darwin) 


hQEMA0D8wFQpWGKaXAQfiSoe2pdhb0oeTvhsP4tw9SFZSPJ/BmzQXgKNKBNCKU5Y7 
KZsv9zJwWp2qjr/YwMTIwOIEZImQB4SU1+qf7FVEhr8P8ktUPaZb8/6QdJBytd35 
5IUHGkVzt4tx2rarxPOg1Uy6OTCr0oeY4jLMb4sU/OKdOnGZNiLtfuszYD5jqhQ+ 
ilc1iQm7006J1iu1u3zhSXJSZ+5b3cOwg4 7kFBUSOqg2+1iEPdEMaaVO05yzphiK2P 
ZucQQNriHSigqHPV/N1Z2gtUvRZScWGt3DSgqrMYi26JFfSHnMQpF8Ci+tgrtgVI 
xNBgLVI1cJ//UbdBmjaFOyY ChJccTUzK3/DYbhVZzYUBDANxpkhSIhF/GwEIAMis 
H9LzexiZdGaswJO2VOILLVCyoQnJ1 UPTpbONMNZCIrU1V6e398X44AGJR56mIV8P 
XKtQYtht0Ade+0Y Bbqg0sf4p6vkyXkx+pD2bOKwv921qAr/68JDx9GOgt/9LbGWg 
s4YBoWWfMzdBy3LeWUvuM8k8nuVdvKxTOGFdlDgyo8f7 2EIZ/vQ0uHMwS+lujEDB 
bHu8WSvpmOk7StGjJnMStU0VqN/Uau1 SLOBSAh6aCmH+ifQhJjJp53FKGLsXVxot 
OfS1bE30x70F +OdRjXw36JoeUpjv1 b/C6ATmMNdwN/LRZ34dESjrixkE9WBzfNsVk 
dA6pOmSUOviBARZIIYvS6wEr+LilhY SqUtj/EPYQ77LhTZgGLhRLWdQWvOQrkz7fjcH 
9IZU1ACLiPg4KxJa7Z5dZ6gHyCHkEtk+solMKIY7CSYJUUsLBjsbTp3BUQCjtFGR 
STgo7cjJKloZXjUiglIUq0ld7zlccOv7oudPQOgWP9+th+o01 SRpBVREByG4ecdzpvY 
H3dyQPIHLXP62JYQKCXy3oBk0rlUg6A/zivymVtT pegA00vD853Swr4jGWJrveqP 
GuteRvO7ViT5bn73dV+WiY OKpquDXI2agA+pP/aYrOriXAlil1 MePb2wZal0OzUv 
c8PLYrWLdMpFXbRP+FOA48hMI26o0qiU7 QqzAqa1 AEQwaBdecNv2uCNGyjsAvF5gY 
onvm8Fzuw3DPSxv18c3eVFhhyOBtaPRvM55uDPgixywyaHNoLdH+r0Zz+1PhOIBU 
YBigzfs2miDEW7B8kTNtq2ghaGSbB5Qw/cJTwxKi/gO 1 Z9kIt/Imjknagga0UIEo 
heMTuZ59B+HegXWFFS8HIkih+ByjF77 Y 6/llwoOpjzixTsKwVIVviznTsILw19gRU 


-----END PGP MESSAGE---- 


Figure 15.7b The message once encrypted using PGP 


and remain unbreakable, leading some countries to consider whether a sus- 
pect can be compelled by a court of law to provide the encryption key (see 
Chapter 16 for more detail). 

Finally, steganography is the practice of hiding information in such a way 
that others are not aware that a hidden message exists (Kessler, 2004). Steganog- 
raphy is different from encryption because the goal of steganography is secrecy 
rather than privacy (i.e., hidden data vs. illegible data). The primary purpose of 
steganography is to hide a secret message within a transport medium such as 
an image or video file. This transport medium is known as a carrier (Kessler, 
2004). The process of steganography involves replacing bits of useless or unused 


data in a file with bits of different, invisible data. Once the carrier medium has 
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the secret message embedded it becomes the steganography medium, and 
only those individuals with the appropriate knowledge and software can reveal 
the secret message hidden within the carrier. There are a number of software 
programs available for creating steganographic images (see Johnson, n.d.), as 
well as mobile phone apps. 

Steganography can be used to conceal a variety of criminal activities, such as 
stolen credit card information, child sex abuse images, or terrorist plots. For 
example, a child pornography user may covertly send child sex abuse images via 
email by embedding the illicit images within neutral images, such as images of a 
cat. In this example, the neutral image of the cat is the carrier, and becomes 
steganography once the child pornography image is embedded within the car- 
rier. There are a range of digital forensics tools available for detecting steganog- 
raphy to assist forensic examiners, including [Look Investigator, Stegdetect, 
StegoHunt, Xsteg, and Foundstone. Steganography is difficult to detect, even 
with the tools available, so the most effective method to detect stego is the 
human eye (Yari & Zargari, 2017). 


For more on the use of steganography, go online to: http:// 
www.washingtonpost.com/wp-dyn/content/article/2010/06/30/ 
AR2010063003108_pf-html 


Overall, uncovering digital evidence is a time-consuming process to ensure 
that all possible data is recovered using both physical and logical extraction 
methods. Not including active files, there is a mountain of data that can be 
extracted from the allocated, unallocated, and free space of a hard drive. Digital 
forensics examiners not only extract data from active files, but they recover data 
from deleted partitions, hidden files, encrypted files, and file slack. Now that the 
data has been recovered, the digital forensics examiner must be able to recon- 
struct the digital crime scene. The process of reconstructing the digital crime 


scene leads to the analysis phase. 


Data Analysis 


The analysis phase of the investigation refers to the interpretation and recon- 
struction the digital crime scene (Casey, 2011; NI, 2004). This process is not 


an easy task due to the large amounts of data uncovered during a digital forensic 
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investigation. For example, a 1 terabyte (1 TB) hard drive is essentially one 
trillion bytes. As discussed in Chapter 12, a byte is a unit of digital information. 
Since a computer traditionally uses one byte of space to represent a single char- 
acter (e.g., a single letter such as “a”), if a single word processing document 
holds 5,000 characters per page, a 1 TB hard drive could hold 220 million pages 
of text (Baier, 2011/2012)! 

In addition, if it were possible to print 20 sheets of text per minute, it would 
take approximately 21 years to print all of the documents on a 1 TB hard drive. 
If all these printed pages could be stacked it would be over 13 miles tall (Baier, 
2011/2012). Currently, a 1 TB hard drive costs less than $100, and companies 
are even manufacturing 1 TB USB flash drives as well as 6 TB hard drives. 

The large data volume issue is further compounded for networks where 
100s or 1000s of computers and other systems are interconnected over various 
technologies. That is, there is a vast amount of data being created and transmit- 
ted on a daily basis by large-scale computer networks (Goodison et al., 2015; 
Hansen et al., 2018; Rogers & Seigfried-Spellar, 2016). It is estimated that the 
total amount of data generated will reach 163 ZB (163 billion TB) by the year 
2025 (Reinsel et al., 2017). This will result in 3.3 ZB of traffic over the Inter- 
net backbone (Cisco, 2017) with up to 100X this amount flowing over private 
enterprise networks per annum. This creates a major challenge for the ability 
to capture that amount of network traffic as well as an additional challenge to 
have the ability to perform any useful analysis. According to Garfinkel (2002), 
there are organizations that “routinely record some or all of the traffic on their 
external Internet connections” (para 9). This defines an explicit need for tools 
capable of dealing with large volumes of data. 

The rapid rise in technology consequently has led to data overflow and the 
Big Data problem (Khan et al., 2018). The issues and challenges associated with 
Big Data are often characterized by the “Vs of Big Data.” Initially, the Big Data 
problem could be summarized by 3 Vs (Laney, 2001); however, researchers 
over time have included additional Vs (Dean & Ghemawat, 2008; Gandomi & 
Haider, 2015; Khan et al., 2018; Schroeck et al., 2012). In fact, some researchers 
have extended the characteristics to as many as 51 Vs (Khan et al., 2019). 

Overall, the overarching challenges associated with Big Data can be 
summarized by the following 3Vs: Volume, Velocity, and Variety. Volume 
refers to the size of the dataset, which continues to grow faster than our 
traditional computational abilities. Velocity refers to the speed at which data 
is generated. Variety refers to the type and organization of data. Extend- 
ing this current state of tools, having forensically sound processing and 
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processes, and dealing with the exascale “big data problem” is necessary for 
the continued advancement of admissible evidence within the courtroom 
(Goodison et al., 2015). 

After recovering the data during the examination phase, the next step is data 
reduction and filtering which occurs during the analysis phase. By reducing 
the dataset, the digital forensics examiner only interprets those files relevant to 
the investigation. Filtering may involve removing duplicate files, searching for 
keywords, or grouping data based on file types (Casey, 2009). For example, a 
digital forensics examiner may search for and group together image file types 
(e.g., JPEG, GIF, BMP) when investigating a child pornography case. In addi- 
tion, file hashes can be used to eliminate duplicate data (Kavrestad, 2020; Pollitt 
& Whitledge, 2006). 

As discussed previously, a hash value is a number generated by an algorithm 
to substantiate the integrity of digital evidence (Scientific Working Groups on 
Digital Evidence and Imaging Technology, 2011). However, a hash value can 
also be used to identify unique or duplicate files. A hash value can be created 
for every file, and is a unique number similar to a digital fingerprint. If two files 
have the same hash value, they are duplicates or exact copies of one another, 
which can be filtered out as nuisance data. 

Hash values can also be compared to datasets that contain known hash values 
for specific files, such as illicit materials (e.g., child pornography), steganogra- 
phy, or proprietary software. For instance, the National Software Reference 
Library (NSRL) is supported by the DHS and NIST (NIST, 2019). Accord- 
ing to NSRL, a typical desktop computer may contain between 10,000 and 
100,000 files, so by using a repository of known hash values, a forensic examiner 
can reduce the number of files that need to be manually examined. 

The process of filtering the dataset and removing non-user-created files (e.g., 
operating system, program files) is sometimes referred to as de-NISTing. The 
term de-NISTing comes from the fact that the known hash values for these 
noise files are maintained and published by NIST’s NSRL (see Waxse, 2013). 
Overall, filtering the dataset for known hash values not only reduces the num- 
ber of files that need to be examined but also increases the efficiency of the 
investigation (NIST, 2019). 

The ultimate goal of data reduction and filtering is creating the smallest dataset 
with the highest potential of containing relevant digital evidence (Casey, 2011). 
The criteria for including and excluding data is extremely important otherwise 


potential digital evidence may be discarded or overlooked during the filtering 


process. The final result of the examination/analysis phase is a reconstruction of 
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the digital crime scene, so any disregarded evidence could significantly impact 
the findings of an investigation (Kavrestad, 2020). 


Reporting of Findings 


The final stage in the digital forensic investigation is the report/presentation 
phase. In the report/presentation stage, the findings that are determined 
to be relevant to the investigation are finalized in a report. How evidence 
is determined to be relevant to an investigation will be discussed further in 
Chapter 16, and essentially refers to evidence that pertains directly to the 
facts of a case. Only relevant evidence should be included in the final report, 
rather than hypothetical or theoretical evidence (see Beebe & Clark, 2005; 
Kavrestad, 2020; Sachowski, 2018). In addition, this report should reflect 
complete transparency, meaning each step described in detail so as to leave no 
mystery in the digital forensics process. Specifically, the digital forensic techni- 
cians should be prepared to testify in court regarding the survey/identification 
(e.g., chain of custody), collection/acquisition (preservation, forensic tools), 
and examination/analysis (data recovery and reduction) stages of the digital 
forensic investigation. 

Along with transparency, the digital forensic examiner should remain 
objective when drawing conclusions from the digital evidence. According 
to the Association of Chief Police Officers of England, Wales, and Northern 
Ireland, “a digital forensic practitioner must be aware of their duty of impar- 
tiality and that they must communicate both the extent and the limitations 
of the digital forensic evidence” (Williams, 2012, p. 12). All conclusions 
made by the examiner should be supported by objective evidence to limit 
confirmation bias. Confirmation bias is the tendency to accept information 
that confirms our beliefs while rejecting information that contradicts those 
beliefs (Goodwin, 2009). Humans are naturally drawn to information that 
matches our belief systems, leading people to ignore conflicting informa- 
tion. If a digital forensics examiner believes that a suspect is guilty, prior to 
examining the evidence, it is plausible that potential evidence exonerating a 
suspect may be overlooked or evidence may be labeled as incriminating 


even when it is not. 


For more information on issues of evidence, go online to: https:// 
www.huftpost.com/entry/forensic-evidence_b_3178848 
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Kassin et al. (2013) use the term forensic confirmation bias to “sum- 
marize the class of effects through which an individual’s preexisting beliefs, 
expectations, motives, and situational context influence the collection, per- 
ception, and interpretation of evidence during the course of a criminal case” 
(p. 45). The authors make a number of proposed reforms for reducing bias in 
the forensic laboratory and in the courtroom. For example, forensic examiners 
should not receive irrelevant information that may taint their evaluation of the 
evidence. A digital forensics examiner does not need to know that the suspect 
confessed to downloading Internet child pornography. The fact that the suspect 
confessed should have no bearing on whether evidence is present or absent on 
a hard drive. 

In addition, Kassin et al. (2013) recommend that an independent forensics 
examiner verify the findings of the initial examination. This independent foren- 
sic examiner should also be completely unaware, or blind, to the conclusions 
reached by the initial examiner. Finally, the authors conclude that any forensic 
science education or certification should include training in basic psychology 
and, more specifically, the influence of confirmation bias (Kassin et al., 2013). 
Overall, the final report should reflect not only the integrity of the evidence but 


also the integrity of the forensic examiner. 


Summary 


This chapter began with a review of the case of Gates Rubber Co. v. Bando 
Chemical Industry (1996) identifying the importance of data preservation. A small 
error, such as forgetting to use a write blocker or create a duplicate image, 
could result in a loss of potential evidence. In addition, the Casey Anthony case 
is a perfect example of how uncaptured data (e.g., Google search for “fool- 
proof suffocation” methods) may have influenced the outcome of the trial. The 
Orange County Sheriffs department admitted to overlooking evidence of a 
Google search for “fool-proof suffocation” methods the day the daughter was 
last seen alive (see Associated Press, 2012). 

There are a number of mistakes that can be made during the perseveration 
and acquisition phases. It is also important to consider how examiner objectiv- 
ity can be maintained and avoid forensic confirmation bias. If the court ques- 
tions the integrity of the examiner or the forensic laboratory, evidence may be 
deemed inadmissible in a court of law. The digital forensic investigation process 


is constantly under scrutiny, and the validity of digital forensics is assessed by 


whether or not the evidence is admissible in a court of law. 
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Verification 
Volatile 
Wiping 
Write 

Write blocker 


Discussion Questions 


1. The data preservation stage of the collection/acquisition phase of the dig- 
ital forensic process involves careful planning on the part of the examiner. 
Identify five ways in which the digital evidence can be tainted during the 
data preservation process. 

2. A fellow classmate is confused about the following terms: slack space, 
clusters, and sectors. The book provided the analogy of a two-car garage 
to assist readers with these different terms. Create a different analogy to 


explain these different terms to your classmate. 


iS) 


. It is extremely important that digital forensic examiners are able to ver- 
ify the authenticity of the digital evidence. Explain whether the courts 
should be concerned with the use of hash algorithms for verifying the 


authenticity of digital evidence. 


> 


Provide two examples of how confirmation bias could influence the 
integrity of a case. What are some ways we can limit the influence of 


forensic confirmation bias? 


References 


AccessData. (2013). Case study: Royal Military Police seeks out AccessData for 
digital forensics. https://accessdata.com/assets/pdfs/FTK___AD_Lab_Royal_ 
Military_20Sept2015.pdf 

AccessData. (2014, August 21). AccessData forensic toolkit: User guide. https:// 
ad-pdf's3.amazonaws.com/ftk/ftk%205.5/FTK_UG.pdf 

AccessData. (2018, November 20). AccessData forensic toolkit 7.0 release notes. 
https://ad-pdf.s3.amazonaws.com/ftk/7.x/FTK_7_0_RN.pdf 


AccessData. (2021). Who we are. https://accessdata.com/about/who-we-are 


Examination of Forensic Evidence 


Adam Walsh Child Protection and Safety Act. (2006, July 27). Pub. L. 
No. 109-248, codified at 42 U.S.C. §16911 et seq. 

Aggarwal, S., Houshmand, S., & Weir, M. (2018). New technologies in password 
cracking techniques. In Lehto M. & Neittaanmaki P. (Eds.). Cyber security: Power 
and technology. Intelligent systems, control and automation: Science and engineering 
(Vol. 93). Springer. https://doi.org/10.1007/978-3-319-75307-2_11 

Ambhire, V. R., & Meshram, B. B. (2012). Digital forensic tools. IOSR Journal 
of Engineering, 2(3), 392-398. 

Associated Press. (2012, November 25). Casey Anthony detectives overlooked Google 
search. Retrieved March 19, 2014, from www.bigstory.ap.org 

Baier, H. (2011/2012). On the use of hash functions in computer forensics. https:// 
www.fbi.h-da.de 

Barrios, R. M., & Signori, Y. (2010). RAM and file systems investigations. In 
J. Bayuk (Ed.), CyberForensics: Understanding information security investigations 
(pp. 103-116). Springer. 

BBC News. (2013, July 30). David Guy dismemberment: David Hilder guilty of 
manslaughter. www.bbc.com/news 

Beebe, N. L., & Clark, J. G. (2005). A hierarchical, objectives-based framework 
for the digital investigations process. Digital Investigation, 2(2), 147-167. 

Beek, C. (2011). Introduction to file carving. Retrieved March 12, 2014, from 
www.mceafee.com 

Biham, E., & Chen, R. (2004, August). New results on SHA-0 and SHA-1. 
In V. Shoup (series ed.), Lecture notes of the Institute for Computer Sciences, 
Advances in Cryptography — Crypto 2004 (pp. 290-305). 

Bitansky, N., & Degwekar, A. (2019). On the complexity of collision resistant 
hash functions: New and old black-box separations. In Theory of cryptography 
conference (pp. 322-450). Springer. 

Bond, A. (2013, August 14). DNA from a cat snares killer after its hair was found 
on victim’s dismembered body. www.dailymail.co.uk 

Britz, M. T. (2013). Computer forensics and cyber crime (3rd ed.). Prentice Hall. 

Brown, C. (2003). The art of key word searching. Technology Pathways. http:// 
techpathways.com 

Bunting, S. (2008). EnCE — The official EnCase certified examiner study guide 
(2nd ed.). Wiley Publishing, Inc. 

Cahyani, N. D. W., Martini, B., Choo, K. K. R., & Al-Azhar, A. M. N. 
(2017). Forensic data acquisition from cloud-of-things devices: Windows 
smartphones as a case study. Concurrency and Computation: Practice and 
Experience, 29(14), e3855. 


613 


Examination of Forensic Evidence 


614 


Cantrell, G. D., & Runs Through, J. (2020). Teaching data carving using the 
real world problem of text message extraction from unstructured mobile 
device data dumps. Journal of Digital Forensics, Security and Law, 14(4), 4. 

Carrier, B. (2005). File system forensic analysis. Addison-Wesley. 

Casey, E. (2009). Handbook of digital forensics and investigation. Elsevier 
Academic Press. 

Casey, E. (2011). Digital evidence and computer crime: Forensic science, computers, 
and the Internet (3rd ed.). Academic Press. 

Cisco. (2017). The zettabyte era: Trends and analysis. Cisco. https://www.cisco. 
com/c/en/us/solutions/collateral/serviceprovider/visual-networking-index- 
vni/vni-hyperconnectivity-wp.html 

Congressional Record. (2005). Proceedings and debates of the 109th congress, 
September 8 to September 22, 2005 (Vol. 151, Part 15, pp. 19737-21176). 
Washington, DC: United States Government Printing Office. 

Dean, J., & Ghemawat, S. (2008). MapReduce: Simplified data processing on 
large clusters. Communications of the ACM, 51(1), 107-113. 

Eastlake, D., & Jones, P. (2001, September). US secure hash algorithm 1 (SHA 1). 
IETF. http://tools.ietforg 

EC-Council. (2017). Computer forensics: Investigating data and image files (2nd ed.). 
United States. 

Falayleh, M. A., & Al-Karaki, J. N. (2013). On the selection of write blockers for 
disk acquisition: A comparative practical study. The Society of Digital Information 
and Wireless Communications (SDIWC). http://sdiwe.net 

Gandomi, A., & Haider, M. (2015). Beyond the hype: Big data concepts, methods, 
and analytics. International Journal of Information Management, 35(2), 137-144. 

Garber, L. (2001, January). EnCase: A case study in computer-forensic 
technology. IEEE Computer Magazine. 

Garfinkel, S. (2002). Network forensics: Tapping the internet. O’Reilly Network. 
Retrieved on January 25, 2014. 

Garfinkel, S. L. (2010). Digital forensics research: The next 10 years. Digital 
Investigation, 7, S64—S73. 

Gates Rubber Company v. Bando Chemical Industry, Limited, 167 F.R.D. 

90) (D.C, Coal. 1996): 

Goodison, S., Davis, R., & Jackson, B. (2015). Digital evidence and the US 
criminal justice system. RAND. https://www.ncjrs.gov/pdftiles1/nij/ 
grants/248770.pdf 

Goodwin, C. J. (2009). Research in psychology: Methods and design (6th ed.) John 
Wiley & Sons, Inc. 


Examination of Forensic Evidence 


Guidance Software, Inc. (2003, December). EnCase® legal journal. http://isis. 
poly.edu 

Guidance Software. (2014). EnCase® legal journal (5th ed.). Guidance Software, 
Inc. https://www.guidancesoftware.com/docs/default-source/document- 
library/publication/encase-legal-journal—5th-edition.pdf?sfvrsn= 12 

Gutman v. Klein, US Dist. LEXIS 92398 (E.D.N.Y. Oct. 15, 2008). 

Hansen, R. A., Seigfried-Spellar, K. C., Lee, S., Chowdhury, S., Abraham, N., 
Springer, J. A., & Rogers, M. K. (2018). File toolkit for selective analysis & 
reconstruction (FileTSAR) for large-scale networks. In Proceedings of the 2018 
IEEE international conference on big data, Seattle, WA, December 10-13, 2018 
(pp. 3059-3065). 

ISO/IEC (2012). 27037: Guidelines for identification, collection, acquisition, and 
preservation of digital evidence. www.iso.org 

Johnson, N. F. (n.d.). Steganography software. www .jjtc.com 

Johnson, T. A. (2006). Forensic computer crime investigation. CRC Press. 

Kassin, S. M., Dror, I. E., & Kukucka, J. (2013). The forensic confirmation 
bias: Problems, perspectives, and proposed solutions. Journal of Applied Research 
in Memory and Cognition, 2(1), 42-52. 

Kavrestad, J. (2020). Fundamentals of digital forensics: Theory, methods, and real-life 
applications. Springer Nature. 

Kessler, G. C. (2000). An overview of cryptographic methods. In J. P. 
Slone (Ed.), Local area network handbook (6th ed., pp. 73-84). CRC 
Press LLC. 

Kessler, G. C. (2004). An overview of steganography for the computer 
forensics examiner. Forensic Science Communications, 6(3). https://archives.fbi. 
gov/archives/about-us/lab/forensic-science-communications/fsc/july2004/ 
research/2004_03_research0O1.htm 

Khan, N., Alsager, M., Shah, H., Badsha, G., Abbasi, A., & Salehian, S. 
(2018). The 10 Vs, issues and challenges of big data. In Proceedings of 2018 
international conference on big data and education (ICBDE), ACM, Honolulu, 
HI, USA (pp. 52-46). 

Khan, N., Naim, A., Hussain, M., Naveed, Q. N., Ahmad, N., & Qamar, S. 
(2019, May). The 51 V’s of big data: Survey, technologies, characteristics, 
opportunities, issues and challenges. In Proceedings of ACM omni-layer 
intelligent systems conference (COINS’19), ACM, Heraklion, Crete, Greece 
(pp. 1-6). 

Laney, D. (2001). 3D data management: Controlling data volume, velocity 
and variety. META Group Research Note, 6, 70. 


615 


Examination of Forensic Evidence 


616 


Larence, E. R. (2011). Combating child pornography: Steps are needed to ensure 
that tips to law enforcement are useful and forensic examinations are cost effective. 
DIANE Publishing. 

Leehealey, T., Lee, E., & Fountain, W. (2012). The rules of digital evidence and 
AccessData technology. AccessData. https://www.accessdata.com 

Liu, D. (2011). Next generation SSH2 implementation: Securing data in motion. 
Syngress. 

Lyle, J. R. (2003). NIST CFTT: Testing disk imaging tools. International Journal 
of Digital Evidence, 1(4), 1-10. 

Mallery, J. R. (2007). Secure file deletion: Fact or fiction? SANS Institute. www. 
sans.org 

Mandia, K., & Prosise, C. (2003). Incident response and computer forensics (2nd ed.). 
McGraw-Hill Osborne Media. 

Maras, M. (2012). Computer forensics: Cybercriminals, laws, and evidence. Jones 
and Bartlett Learning. 

Marcella, A. J., & Guillossou, F. (2012). Cyber forensics: From data to digital 
evidence. John Wiley & Sons, Inc. 

Marcella, A. J., & Menendez, D. (2008). Cyber forensics: A field manual for 
collecting, examining, and preserving evidence of computer crime (2nd ed.) Taylor & 
Francis Group, LLC. 

McKay, J. (2002, August 13). Encase helps finger murder suspect. www.govtech. 
com/security 

Mishra, S. (2007). Keyword indexing and searching for large forensics targets using 
distributed computing [Unpublished master’s thesis]. University of New Orleans, 
New Orleans, LA. 

Morris, J. (2010, November 2). Maintaining system integrity during forensics. 
Security Focus. www.securityfocus.com 

National Institute of Justice. (2004). Forensic examination of digital evidence: A 

guide for law enforcement. US Department of Justice. 

National Institute of Standards and Technology. (n.d.). Computer forensics tool 

testing program — Overview. www.ctftt.nist.gov/project_overview.htm 

National Institute of Standards and Technology. (2001, November 7). General 

test methodology for computer forensics tools. US Department of Commerce. 

National Institute of Standards and Technology. (2004, May 19). Hardware write 

blocker device (HWB) specification (Version 2.0). US Department of Commerce. 

National Institute of Standards and Technology. (2019, November 18). National 


software reference library (NSRL). https://www.nist.gov/itl/ssd/software- 
quality-group/national-software-reference-library-nsrl 


Examination of Forensic Evidence 


National Research Council (2009). Strengthening forensic science in the United 
States: A path forward. The National Academic Press. 

Negi, S. S. (2005, August 5). Afzal to die; Shaukat gets 10-year jail term. http:// 
www.tribuneindia.com/2005/20050805/main1 .htm 

Opentext Security. (n.d.). EnCase®: Digital forensics. https://security.opentext. 
com/encase-forensic 

Polk, T., Chen, L., Turner, S., & Hoffman, P. (2011, March). Security 
considerations for the SHA-0 and SHA-1 message-digest algorithms. Internet 
Engineering Task Force (REF #6194). http://tools.ietf.org 

Pollitt, M., & Whitledge, A. (2006). Exploring big haystacks: Data mining 
and knowledge management. In M. Olivier & S. Shenoi (Eds.), Advances in 
digital forensics II (pp. 67-76). Springer. 

Reinsel, D., Gantz, J., & Rydning, J. (2017, April). Data age 2025: The evolution 
of data to life-critical. IDC White Paper. https://www.import.io/wp-content/ 
uploads/2017/04/Seagate- WP-DataAge2025-March-2017.pdf 

Richer, P. (2003). Steganalysis: Detecting hidden information with computer forensics 
analysis. SANS Institute. www.sans.org/reading-room 

Rivest, R. (1992). The md5 message-digest algorithm. IETF. www.ietf.org 

Rogers, M. K., & Seigfried-Spellar, K. C. (2016, March). The curse of big data 
in digital forensics. In Interdisciplinary conference on cybercrime, Michigan State 
University, East Lansing, MI. 

Sachowski, J. (2018). Digital forensics and investigations: People, process, and 
technologies to defend the enterprise. CRC Press. 

Saferstein, R. (2010). Criminalistics: An introduction to forensic science (10th ed.). 
Prentice Hall. 

Sammes, A., & Jenkinson, B. (2000). Forensic computing: A practitioner’s guide. 
Springer-Verlag London Limited. 

Sammons, J. (2012). The basics of digital forensics: The primer for getting started in 
digital forensics. Syngress. 

Savage, T. M., & Vogel, K. E. (2009). Digital multimedia. Jones and Bartlett 
Publishers. 

Schmitt, V., & Jordaan, J. (2013). Establishing the validity of MD5 and SHA-1 
hashing in digital forensic practice in light of recent research demonstrating 
cryptographic weaknesses in these algorithms. International Journal of 
Computer Applications, 68(23), 40-43. 

Schroeck, M., Shockley, R., Smart, J., Romero-Morales, D., & Tufano, P. 
(2012). Analytics: The real-world use of big data. IBM Global Services. https:// 
www.bdvc.nl/images/Rapporten/GBE03519USEN.PDF 


617 


Examination of Forensic Evidence 


618 


Scientific Working Groups on Digital Evidence and Imaging Technology. (2011, 
January 14). SWGDE/SWGIT digital & multimedia evidence glossary (version 2.4). 
www.crime-scene-investigator.net/swgde_sweit_glossary_v2-4.pdf 

Shannon, E. (2002, May 23). Did Richard Reid let mom know? Time. http:// 
content.time.com/ 

Shaw, R. (2013, October 4). File carving. Infosec Institute. http://resources. 
infosecinstitute.com/file-carving/ 

State v. Cook, 149 Ohio App.3d 422, 2002-Ohio-4812. 

Threat Analysis. (2017, June 8). Crack windows passwords with registry hives. 
Voodispot.com. https://vcodispot.com/crack-windows-passwords/ 

United States v. Beatty, 437 Fed. Appx. 185 (3rd Cir. 2011 No. 10-3634). 

United States v. Cartier, 543 F.3d 442, 446 (8th Cir. 2008). 

United States v. Gaynor, WL 113653 (D.Conn., January 4, 2008). 

WalesOnline. (2004, June 26). Accountant plotted to cheat employers of £1.5m. 
http://www.walesonline.co.uk/news/wales-news/accountant-plotted-cheat- 
employers-15m-2434686 

Wang, Q. (2012, August). Recommendation for applications using approved hash 
algorithms. NIST Special Publication 800-107, Revision 1. www.cftt.nist.gov 

Wang, Z., Yin, Y. L., & Yu, H. (2005, August). Finding collisions in the 
full SHA-1. In V. Shoup (series eds.). Lecture notes of the institute for 
computer sciences, Vol. 3621, Crypto 2005 (pp. 17-36). 

Waxse, D. J. (2013). Advancing the goals of a “just, speedy, and inexpensive” 
determination of every action: The recent changes to the district of Kansas 
guidelines for cases involving electronically stored information. Regent 

University Law Review, 26, 111-142. 

Wiles, J. (2007). Techno security’s guide to e-discovery and digital forensics. Syngress 
Publishing, Inc. 

Williams, J. (2012). ACPO good practice guide for digital evidence. Association of Chief 
Police Officers of England, Wales and Northern Ireland. www.acpo.police.uk 

Xie, T., & Liu, F. (2013). Fast collision attack on MDS. International 
Association for Cryptologic Research. www.iacr.org 

XPEL Technologies Corporation v. American Filter Film Distributors, WL 
744837 (W.D. Tex. Mar. 17, 2008). 

Yani, I. A., & Zargari, S. (2017, June). An overview and computer forensic 
challenges in image steganography. In 2017 IEEE international conference 
on Internet of things (i Things) and LEEE green computing and communications 

(GreenCom) and IEEE cyber, physical and social computing (CPSCom) and IEEE 
smart data (SmartData) (pp. 360-364). 


16 


Chapter 


LEGAL 
CHALLENGES 
IN DIGITAL 


FORENSIC 
INVESTIGATIONS 


Legal Challenges in Digital Investigations 


620 


Chapter Goals 


e Explain the Fourth and Fifth Amendments as they relate to cases 
involving digital forensics 

© Understand the process of conducting a warrant vs. warrantless search 
and seizure 

e Describe the different standards of proof 

e Identify and describe exceptions to the warrant requirement for a 
search and seizure 

e Identify and describe the different standards of reliability and admissi- 
bility for expert witness testimony and scientific evidence 

e Understand whether digital forensics meets standards for admissibility 


in court 


Introduction 


In April 1991, Kevin Poulsen was arrested and charged with several computer 
hacking crimes, including telecommunications and computer fraud (United States 
v. Poulsen, 1994). Additional espionage charges were brought against Poulsen 
for illegal possession of classified government secrets were filed after computer 
tapes were found in a storage locker rented under his name. He claimed the 
computer tapes were illegally obtained and, therefore, could not be used as evi- 
dence in the espionage case (United States v. Poulsen, 1994). 

According to court documents, Poulsen rented a storage locker from the 
Menlo-Atherton Storage Facility in April 1987. Poulsen was 71 days behind in 
rent and owed the company $155.50 for the storage locker. In January 1988, 
Menlo mailed a notice to Poulsen (who provided a false address and name on 
the rental agreement) stating that if the rent were not paid in full within 14 days, 
Menlo would terminate Poulsen’s right to the storage unit. 

In February 1988, after not receiving rental payment in full, the manager of 
Menlo removed the contents of Poulsen’s locker but noticed “a large amount of 
telecommunications equipment and manuals that apparently belonged to Pac- 
Bell” (United States v. Poulsen, 1994, para 7). Since the manager of the storage 
facility believed the telecommunications equipment was stolen, he contacted 
the police department and gave the detectives permission to seize all of the 


contents of Poulsen’s locker. 
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When PacBell investigators examined the computer tapes, they con- 
tained classified military secrets including “air tasking orders, which list tar- 
gets that the United States Air Force will attack in the event of hostilities” 
(United States v. Poulsen, 1994, para 16). Poulsen filed a motion in 1993 to 
suppress the computer evidence retrieved from the storage unit on the basis 
that seizing evidence from his storage locker violated his Fourth Amend- 
ment right to privacy and unlawful search and seizure. The US government 
argued that the “renter does not have a legitimate expectation of privacy in 
the contents of a rental unit if the rent is not paid” (United States v. Poulsen, 
1994, paras 29-30). 

In 1994, the Ninth Circuit Court for California ruled that the computer 
evidence tapes were admissible and Poulsen did not have an expectation of 
privacy regarding the contents of his storage locker. Specifically, the court 
agreed that Poulsen’s expectation of privacy for the storage unit was termi- 
nated when he failed to pay the full amount of his rent as stated in the signed 
rental agreement (United States v. Poulsen, 1994). In 1996, Poulsen’s espionage 
indictment was dropped, but he served five years in prison for the other crimes 
he committed. 

Though Poulsen went on to become the investigations editor for the tech- 
nology magazine Wired, the court’s ruling in the United States v. Poulsen (1994) 
case became an important decision that affected his sentencing. The computer 
tapes were the sole evidence for the espionage charges. If this evidence were not 
admitted, it would have substantially hindered the ability of the government to 
bring charges against Poulsen. As a result, the admissibility of digital evidence 
has the ability to significantly impact the outcome of a trial. 

This chapter highlights the legal issues surrounding digital forensic evi- 
dence in the courtroom. The chapter begins by exploring two constitutional 
rights in the United States often challenged in cases involving digital foren- 
sic evidence: the right to privacy (Fourth Amendment) and the right against 
self-incrimination (Fifth Amendment). Next, the standards for admissibility of 
digital evidence in criminal cases in the United States is examined along with 
a brief discussion of some international responses (e.g., United Kingdom, Ire- 
land, India, Canada, and the Philippines) to issues that are being faced globally, 
including key disclosure laws and the reliability of expert witness testimony. 
Finally, the chapter concludes with a discussion of the admissibility and reli- 
ability standards for digital forensic examiners providing expert testimony in 


the courtroom. 
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Constitutional Issues in Digital Investigations 


The United States Constitution was adopted on September 17, 1787 (Levy, 
2001) and is the highest form of law within the nation. It mandates that all state 
judges must follow federal law when a conflict arises between state and federal 
law. The first ten amendments of the US Constitution are known as the Bill of 
Rights and were ratified on December 15, 1791 (Levy, 2001). For an amend- 
ment, meaning an addition or alteration, to be made to the United States Con- 
stitution, two-thirds of the members from both the House of Representatives 
and the Senate must approve it and three-fourths of the states must ratify it. 
With that in mind, the Fourth Amendment and Fifth Amendment are arguably 
the most influential to cases involving digital forensics, yet these amendments were 
written during a time without concern for the influence of digital technology on 
the law. As discussed throughout this textbook 12, almost every criminal investi- 
gation now involves some form of digital evidence. Therefore, the Constitution 
is constantly being reinterpreted and challenged in this Digital Age of technology. 
The following section will discuss the legal issues surrounding the Fourth Amend- 


ment and Fifth Amendment as they relate to cases involving digital evidence. 


The Fourth Amendment 


The Fourth Amendment is often summarized as the right to privacy; yet, 
there is no explicitly stated “right to privacy” in the United States Constitu- 
tion or Bill of Rights (del Carmen & Hemmens, 2017). Instead, the Fourth 
Amendment limits the government’s ability to search and seize evidence with- 
out a warrant. In other words, it prohibits unlawful search and seizure but only 
applies to law enforcement officers, and not private individuals so long as they 
are not acting as an agent of the government (James et al., 2014). Overall, the 
Fourth Amendment may be viewed as a narrow rather than general right to pri- 


vacy (see del Carmen & Hemmens, 2017). The amendment reads: 


The right of the people to be secure in their persons, houses, papers, and 
effects, against unreasonable searches and seizures, shall not be violated, and 
no Warrants shall issue, but upon probable cause, supported by Oath or affir- 
mation, and particularly describing the place to be searched, and the persons 
or things to be seized. 


Thus, the Fourth Amendment begins with a clause protecting a person’s body, 


home, and other belongings from unlawful search and seizure by any government 
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agency. It also indicates that probable cause is required in order to issue a war- 
rant. However, the Fourth Amendment does not explicitly define what constitutes 
unlawful search and seizure, probable cause, or one’s “effects” or belongings. For 
example, results from a survey of 750 companies around the globe suggested that 
93 percent were using some form of cloud storage in 2020 alone (MSV, 2020). 
Cloud storage is like a virtual warehouse where people can store data on a network 
(e.g., Dropbox, iCloud, and Google Drive). So, is the data stored “in the cloud” 
(e.g., pictures stored in Dropbox) considered private and/or protected under the 
Fourth Amendment? These are the types of questions facing the courts, which must 
determine how to interpret and apply the Fourth Amendment in this Digital Age. 


Privacy 


Since the right to privacy is not overtly outlined in the Constitution, the courts 
were left to decide when privacy was protected under the Constitution. One of 
the most influential cases that defined one’s right to privacy was Katz v. United 
States (1967). In 1965, Charles Katz was convicted of conducting illegal gambling 
operations across state lines. Agents from the Federal Bureau of Investigation 
(FBI) placed a warrantless wiretap on the public phone booth that Katz was using 
to conduct his gambling operations, which allowed them to listen only to Katz’s 
conversations that related to the illegal gambling operations. Evidence from the 
warrantless wiretap was used to convict Katz of illegal gambling (see Figure 16.1). 

Katz appealed his conviction, arguing that the public telephone booth was 
a constitutionally protected area so the warrantless wiretap violated his Fourth 
Amendment right to unreasonable search and seizure (Katz v. United States, 1967). 
Therefore, any evidence obtained from the warrantless wiretap should be inadmis- 
sible in court. In contrast, the federal agents argued that the evidence was admissi- 
ble since they did not need a warrant to wiretap a public telephone booth. In 1967, 
the US Supreme Court ruled that the warrantless wiretap did violate Katz’s Fourth 
Amendment right to unlawful search and seizure, so any evidence obtained because 
of the wiretap was inadmissible in court. Most importantly, the US Supreme Court 
ruled that Katz had a constitutionally protected reasonable expectation of privacy 
(Katz v. United States, 1967). As stated in the opinion: 


What [Katz] sought to exclude when he entered the booth ... was the unin- 
vited ear. One who occupies [a telephone booth], shuts the door behind 
him, and pays the toll that permits him to place a call is surely entitled to 
assume that his conversation is not being intercepted. 
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Fig. 16.1 
An example 
of an old nea 
pay phone. 
Although this 
pay phone is 
“public,” Katz 
v. United States 
(1967) ruled 
that a person 
who enters a 
phone booth, 
and closes 


the door, has 
a reasonable 
expectation 


of privacy, so 
a warrantless 
wiretap 
would violate 
the Fourth 


Amendment 


Source: http:// 
www.shutterstock. 


com/pic.mhtml? 
id=13525399& 

src=e709roJo sa ns et everett ee 
BBPLRODOiYV 
61Q-1-29. Image 


cou rtesy of www. 


Shutterstock.com 
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In the concurring opinion, Justice Harlan outlined two criteria for when there 
is a reasonable expectation of privacy: the person must have exhibited an 
actual expectation of privacy, and the expectation must be one that society is 
prepared to recognize as reasonable (Katz v. United States, 1967). In addition, 
the Fourth Amendment protects people and not places, so the question was 
not if the public phone booth was constitutionally protected but whether 
the person making the phone call had a reasonable expectation of privacy 
(Katz v. United States, 1967). For example, if a person is talking on your cell 
phone while in a university classroom waiting for class to start, they would 
not be protected by the Fourth Amendment because it would be unreasonable 
to assume that they have an expectation of privacy if they are conversing in the 
open where it can easily be overheard by the other students. Based on the Katz 
v. United States (1967) ruling, the first part of the Fourth Amendment is often 
referred to as the reasonableness clause, meaning a search is constitutional if 
it does not violate a person’s reasonable and legitimate expectation of privacy 
(Neubauer & Fradella, 2019). 


Search and Seizure 


As discussed previously, the second clause of the Fourth Amendment restricts 
the government’s ability to search and seize evidence without probable cause to 
issue a warrant. The second clause of the Fourth Amendment is often referred 
to as the warrants clause, indicating a warrant or signed document issued by a 
judge or magistrate authorizes a specific course of action. The Fourth Amend- 
ment specifically refers to a search warrant, which is a signed document by a 
judge or magistrate authorizing law enforcement to conduct a search (Neubauer 
& Fradella, 2019). 

A search warrant is different from an arrest warrant, which is a signed docu- 
ment by a judge or magistrate authorizing law enforcement to take the person 
into custody (Neubauer & Fradella, 2019). A search is specifically defined as 
the “exploration or examination of an individual’s home, premises, or person 
to discover things or items that may be used by the government as evidence 
in a criminal proceeding,” and seizure is defined as “the exercise of control by 
the government over a person or thing because of a violation of the law” (del 
Carmen & Hemmens, 2017). Therefore, when law enforcement officers con- 
duct a search and seizure, they are identifying and collecting potential evidence 


to be used in the court of law. 
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In United States v. Jacobsen (1984), the Supreme Court defined the mean- 
ing of search and seizure. This case involved a damaged cardboard box that 
exposed several bags containing a white powdery substance. After seeing the 
contents of the box, the employees of the freight company contacted the Drug 
Enforcement Administration (DEA) to investigate. When an agent arrived, he 
tested the white powdery substance onsite and determined it was cocaine. Based 
on the results of the field test, the DEA agent then obtained a warrant to search 
the address where the box was being shipped. After a sting operation on the 
shipping destination, Bradley and Donna Jacobsen were convicted of possession 
with intent to distribute cocaine (United States v. Jacobsen, 1982). They appealed 
their conviction, arguing that the Fourth Amendment required the DEA agent 
to obtain a search warrant before testing the white powder. The Supreme Court 
disagreed and held that the defendants’ Fourth Amendment rights were not vio- 
lated because the initial invasion of privacy occurred as a result of private action 
rather than governmental action. 

In addition, the US Supreme Court stated that a search occurs when an 
“expectation of privacy that society is prepared to consider reasonable is 
infringed,” and a seizure of property occurs when there is “some meaningful 
interference with an individual’s possessory interests in that property” (United 
States v. Jacobsen, 1984). In this case, the search and seizure were reasonable and 
did not violate the defendant’s expectation of privacy since the unsealed, dam- 
aged box was compromised. The employees of the freight company also opened 
the damaged, unsealed box and discovered the suspicious white powder and 
then invited the DEA to inspect the contents of the box. Therefore, the war- 
rantless search and seizure was legal since there was no expectation of privacy. 
The conduct of the agent was reasonable given the prior knowledge, shared by 
a private third party, that the box contained a suspicious white powder (United 
States v. Jacobsen, 1984). That is to say, the agents can reenact the original pri- 
vate search without violating any expectation of privacy, so long as they do not 
exceed the scope of the private search (United States v. Jacobsen, 1984). 

There are three basic requirements for a warrant (see Box 16.1; Bloom, 2003; 
del Carmen & Hemmens, 2017; Neubauer & Fradella, 2019). First, a warrant 
must be signed by a neutral and impartial judge or magistrate who does not 
have a vested interest in whether the search warrant should be issued. Second, 
the Fourth Amendment specifically requires that there must be probable cause, 
supported by oath and affirmation, to issue a warrant. Probable cause means 
there must be adequate reasons or justifications, rather than mere suspicion, to 
conduct a search. According to Brinegar v. United States (1949), “probable cause 
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deals with probabilities. These are not technical; they are the factual and practice 
considerations of everyday life on which reasonable and prudent men, not legal 
technicians, act” (175). In general, to issue a warrant, there must be probable 
cause to support the belief that both a crime has been committed and that evi- 


dence of a crime will be found (see Brinegar v. United States, 1949). 


Box 16.1. A Fictional Search Warrant for 
Electronic Devices 


Fictional search warrant, from the Tippecanoe High Tech Crime Unit, to 


search a home for electronic devices. 


STATE OF INDIANA ) IN THE SUPERIOR __ COURT 
) SS: 
COUTY OF TIPPECANOE ) OF TIPPECANOE COUNTY 
79D___1701-MC 


SEARCH WARRANT 


(Lafayette Police Department 

(West Lafayette Police Department 
To Any Police Officer of the (Tippecanoe County Sheriff's 

Department 

(Tippecanoe County Prosecutors Office 

(Indiana State Police 

(Purdue University Police Department 

(Indiana Excise Police 

(Indiana Department of Natural 

Resources 


Greetings: 

Whereas there has been filed with me an Affidavit of Probable Cause, 
you are therefore commanded in the name of the State of Indiana with the 
necessary and proper assistance in the daytime or in the nighttime to enter 


into and upon the premises described in said affidavit, to wit: 


12345 Main ST, Somewhere, IN 99999 a one-story house with blue sid- 
ing and white trim 
AND 
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A gray 1967 Ford Shelby Mustang GT500 registered to Thomas J. Egen 
(IN plate # “DRFALLS”) 

AND 

The person of Thomas J. Egen, W/M DOB: 2/30/1972, SSN: 
XXX-XX-1234 


Tippecanoe County, in the State of Indiana, and there diligently search 
for and seize: 

To search for and seize all electronic devices capable of internet activ- 
ity, or capable of transferring and/or storing electronic data (such as desk- 
top computers, laptops, iPhones, iPod touches, iPads, Blackberries, cell 
phones, routers, USB hard drives, mobile devices, thumb drives, CD/ 
DVDs, floppy disks) and to forensically search said devices and compo- 
nents of said devices for all files (active or deleted) for any images, photo- 
graphs, or videos of child pornography; any internet searches (including 
browser history, cache, cookies, and downloads) for child pornography; 
electronic data showing user activity or documentation of viewing, stor- 
ing, producing, and/or transferring of any child pornography including 
emails; evidence of child molestation or other sexual offenses involving 
minors, and electronic data showing the identity of the user of said devices. 

As described in the probable cause affidavit and that you bring the 
same, or any part thereof found on such search, forthwith before me to be 


disposed of according to law. 


Given under my hand and seal this day of January, 2020. 


Judge/Magistrate of Tippecanoe County 


Fictional search warrant courtesy of Investigator Sean Leshney of the Tip- 
pecanoe County High Tech Crime Unit 


Probable cause may be viewed as a standard of proof on a continuum of 
probability ranging from mere suspicion to almost complete certainty (del 
Carmen & Hemmens, 2017). For example, in a criminal case, the prosecution 
must show the jury and/or judge there is proof beyond all reasonable doubt 
that the person on trial committed the crime. In other words, believing that the 


defendant probably committed the crime or is most likely guilty is not the same 
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thing as being almost 100 percent certain, or in other words, beyond a reason- 
able doubt. This high standard of proof makes it less likely that an innocent 
person will be convicted. In contrast, a civil case requires only a preponderance 
of the evidence standard of proof. Essentially, it must be more likely than not 
that the accused committed whatever acts to which they are charged. 

As previously discussed, the Fourth Amendment requires probable cause in 
order to obtain a search warrant. The probable cause is usually presented as an 
affidavit, which is a written, or occasionally verbal, statement to which the law 
enforcement officer has sworn an oath to the magistrate that the information is 
true and factual (del Carmen & Hemmens, 2017; Neubauer & Fradella, 2019). 
Finally, the warrant must explicitly state what crime was committed, the loca- 
tion to be searched, and the specific items that are to be seized (Bloom, 2003). 
Essentially, warrants should be carefully constructed and detailed so that the 
law enforcement officers executing the warrant can “identify the items with 
reasonable certainty, and are left with no discretion as to which property is 
to be taken” (Neubauer & Fradella, 2019). However, there are a number of 


exceptions to the rule, meaning not all searches and seizures require a warrant. 


Exceptions to the Rule 


In general, the US Supreme Court has ruled that a warrant is only required 
if the search violates a person’s reasonable expectation of privacy (Illinois v. 
Andreas, 1983). In addition, a warrantless search may be constitutional even if 
it does violate a person’s reasonable expectation of privacy, so long as it falls 
within an established exception to the rule (Illinois v. Rodriguez, 1990). There 
are a number of exceptions to the warrant requirement of a search and sei- 
zure: search incident to arrest, consent searches, motor vehicle searches, border 
searches, open fields, plain view, and third-party disclosure, to name a few (see 
Neubauer & Fradella, 2019). 

For example, a person may be searched and any evidence seized once they 
have been arrested. The process of searching a person who has been arrested 
for a crime is known as a search incident to arrest. In United States v. Robinson 
(1973), the court ruled that a search incident to arrest is not only an exception 
to the warrant requirement but is also viewed as a reasonable search under the 
Fourth Amendment. Searches incidental to arrest protect officers by allowing 
them to search for weapons or instruments to escape on the arrested person as 
well as ensure that potential evidence is not going to be destroyed (see United 
States v. Robinson, 1973). 
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In United States v. Finley (2007), the defendant appealed his conviction on 
possession and intent to distribute methamphetamine arguing that his Fourth 
Amendment rights were violated since law enforcement conducted a warrant- 
less, post-arrest search of his cell phone, which was retrieved from his pants 
pocket. The search revealed text messages and call records related to narcotics 
use and trafficking, which were presented as evidence during his trial. The Fifth 
Circuit court ruled that searching the cell phone did not violate Finley’s Fourth 
Amendment rights since it occurred post-arrest and the cell phone was retrieved 
from his pants pocket (i.e., search incident to arrest). 

Since cell phone data can be altered or changed, the officers were searching 
for potential evidence in order to prevent its destruction (United States v. Finley, 
2007). In contrast, State v. Smith (2009) ruled that the warrantless search of a 
cell phone seized incident to arrest violates the Fourth Amendment when the 
“search is unnecessary for the safety of law enforcement officers and there are no 
exigent circumstances” (line 171). Exigent circumstances refer to emergency 
situations that allow law enforcement officers to conduct a warrantless search 
when they believe people are in danger or potential evidence will be destroyed 
(see McInnis, 2009). 

The US Supreme Court, however, recently unanimously ruled in Riley v. 
California (2014) that police will not be allowed to search cellular devices with- 
out a warrant after a person has been arrested (Bekiempis, 2014). Prior to this 
decision, there were no specific standards for cell phone seizure. In fact, law 
enforcement officers were seizing cell phones and imaging them during traffic 
stops in some states. There are digital forensic tools available that are portable 
and allow law enforcement to extract cell phone data (see Figure 16.2). For 
example, in 2012, Noe Wuences was pulled over by an Oklahoma City police 
officer because the license plate tag was improperly displayed (United States v. 
Zaavedra, 2013). The driver consented to a search of the vehicle and 9.5 lb of 
methamphetamine was found hidden inside. Also, located inside the car were 
two cell phones. 

The officer proceeded to conduct a warrantless search of the cell phones 
using a Cellebrite device, which extracted information including contacts, 
phone history, text messages, and pictures. During trial, Wuences submitted a 
motion to suppress any evidence retrieved from the cell phones because the 
search violated his Fourth Amendment rights (United States v. Zaavedra, 2013). 
Since prior courts ruled that law enforcement may search a cell phone seized 
during a traffic stop so long as there is probable cause to believe the phone con- 


tains evidence of a crime (see United States v. Garcia-Aleman, 2010) and are 
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recognized tools of the drug trade (see United States v. Oliver, 2004), the North- 
ern District of Oklahoma court ruled that Wuences’s Fourth Amendment rights 


were not violated. 


For more on cell phone privacy ruling, go online to: https://epic. 
org/amicus/cell-phone/riley/ 


This new ruling by the Supreme Court in Riley, however, demonstrates that 
the opinion regarding cell phones has changed (Bekiempis, 2014). Previously, 
the courts traditionally viewed cell phones as an electronic version of a phone 
book, which contained only contact information (phone numbers, addresses). 
Now, cell phones are essentially mini-computers that contain a lot more infor- 
mation than mere phone numbers and addresses. For example, the iPhone 12 
can have as much as a 256 GB storage capacity, with additional capacity via cloud 
storage enabling the device to hold tens of thousands of pictures and video. 

As discussed in Chapter 14, smart phones function similarly to computers 
in that they alow web browsing, emailing, video conferencing, and a vari- 
ety of apps for data entry and editing. According to Professor Kerr of George 
Washington University: “It’s misleading to even think of them as phones; they 
are ‘general purpose computers’ that have a bunch of apps, one of which is a 
telephone function” (Totenberg, 2014, para 8). As a consequence, the court 
stipulated in its ruling that cell phones “with all they contain and all they may 
reveal, they hold for many Americans the privacies of life” (Bekiempis, 2014). 
Thus, police must obtain appropriate warrants prior to conducting a search of a 
cell phone seized incident to an arrest. In addition, law enforcement may submit 
a search warrant, court order, or subpoena to a social media provider in order 
to obtain data records (See Box 16.2; Nelson et al., 2015; Seigfried-Spellar & 
Leshney, 2015). 

The Canadian Supreme Court concurred with this argument when they 
ruled that during a search of any premises, additional court authorization is 
needed to search any computers or cell phones found onsite (R v. Vu, 2013). 
Thus, law enforcement officers may seize computers or cell-phones during a 
search, but must obtain additional court authorization to search the electric 
devices. In that respect, the Canadian Supreme Court argued that a cell phone 
or computer was not the same thing as a dresser drawer or filing cabinet. If 
conducting a legal search of physical property, law enforcement is allowed to 
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Box 16.2. A Fictional Search Warrant 
for an Email Account 


Fictional search warrant, from the Tippecanoe High Tech Crime Unit, 
for data related to an email account. 
STATE OF INDIANA ) IN THE SUPERIOR__ COURT 
) SS: 
COUTY OF TIPPECANOE ) OF TIPPECANOE COUNTY 
79D__-1701-MC- 


SEARCH WARRANT 


(Lafayette Police Department 

(West Lafayette Police Department 
To Any Police Officer of the (Tippecanoe County Sheriff's 

Department 

(Tippecanoe County Prosecutors 

Office 

(Indiana State Police 

(Purdue University Police Department 

(Indiana Excise Police 

(Indiana Department of Natural 


Resources 


Greetings: 

Whereas there has been filed with me an Affidavit of Probable Cause, 
you are therefore commanded in the name of the State of Indiana with the 
necessary and proper assistance in the daytime or in the nighttime to enter 


into and upon the premises described in said affidavit, to wit: 


The Gmail account XXXXXXXXXXX@gmail.com using services held 
by Google, Inc., Attn: Custodian of Records, 1600 Amphitheatre Park- 
way, Mountain View, CA 94043, FAX: 650-253-0001 


Tippecanoe County, in the State of Indiana, and there diligently search 


for and seize: 


To search for the Google Account of “XXXXXXXXX@gmail.com” 
to obtain all basic user identity information; general subscriber records; 
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profile information, phone numbers, all devices (MEID,IMEI,ESN) con- 
nected to the account, IP address logs; all emails (active, deleted, sent, 
received, and drafts) in all folders from January 1, 2015 to present; Google 
Wallet information, all contacts, including address book and Google Talk 
List; all instant messages and/or chats; and all files and/or stored media 
stored on the account’s Google Drive for any date. 


As described in the probable cause affidavit and that you bring the 
same, or any part thereof found on such search, forthwith before me to be 
disposed of according to law. 

It is ORDERED that the owner of the named account not be notified 
of this legal demand has it the compromise the law enforcement investi- 
gation and/or cause the tampering/destruction of evidence. Reference: 
Enter Agency Case number (Description of Type of Investigation) 

The search warrant results and Affidavit of Business Records can be 
mailed/returned to: 


Enter Law Enforcement Officer contact info and address 


Given under my hand and seal this day of » AOU 


Judge/Magistrate of Tippecanoe County 


Fictional search warrant courtesy of Investigator Sean Leshney of the Tip- 
pecanoe County High Tech Crime Unit. 


search inside dresser drawers and filing cabinets, even if the drawers are closed. 
Computers and cell phones are different than filing cabinets; for instance, they 
may be connected to a network whose data is not technically part of the prem- 
ises being searched (R v. Vu, 2013). As a result, perceptions on the status of cell 
phones and legal searches are evolving and will continue to evolve over the next 
few decades. 

Other exceptions to the warrant requirement are the search of open fields 
and the plain view doctrine. Open field searches do not require a warrant since 
an open field (i.e., property not adjacent to one’s home, such as fields or water) 
cannot be considered “persons, houses, papers, or effects” as stated by the Fourth 
Amendment (see United States v. Hester, 1924). The plain view doctrine allows 
law enforcement officers to conduct a search and seizure for evidence that may 
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not be in the search warrant but is in plain view and its incriminating nature is 
immediately apparent. For example, in Horton v. California (1990), law enforce- 
ment executed a warrant for stolen property in the home of Terry Horton, who 
was suspected of armed robbery. Although the warrant only authorized the 
search and seizure of stolen property, the law enforcement officer discovered, 
in plain view, then seized the weapons, as potential evidence related to the 
armed robberies. The judge ruled that a warrantless seizure of evidence (e.g., 
weapons), while executing a legal search warrant (e.g., stolen property), does 
not violate the Fourth Amendment since the discovery of said evidence was in 
plain view (see Horton v. California, 1990). 

There is a current exception to the plain view doctrine. In United States v. 
Carey (1999), the defendant argued that his Fourth Amendment rights were 
violated after a detective searched for evidence on a computer that was outside 
the scope of the original warrant. Patrick Carey was being investigated for pos- 
sible sale and possession of cocaine. After providing consent, the defendant’s 
computers were taken to the police station and a warrant was obtained by the 
officers allowing them to search the files on the computers for “names, tele- 
phone numbers, ledger receipts, addresses, and other documentary evidence 
pertaining to the sale and distribution of controlled substances” (United States v. 
Carey, 1999, pp. 1265-1267). 

While searching the computer, the detective identified a JPEG file that con- 
stituted an image of child pornography. After finding this image, the detective 
admitted in court that he abandoned his search for drug trafficking evidence in 
pursuit of evidence related to child pornography. The detective spent approx- 
imately 5 hours downloading over 200 files in search of child pornography 
(United States v. Carey, 1999). Since the Fourth Amendment requires that a 
search warrant specify the location and items to be seized, the defendant argued 
that the original warrant was transformed into a “general warrant.” However, 
the government argued that the child pornography images fell within the plain 
view doctrine. 

The Tenth Circuit court rejected the government’s argument citing the 
Coolidge v. New Hampshire (1971) ruling that “the plain view doctrine may not 
be used to extend a general exploratory search from one object to another until 
something incriminating at last emerges” (line 466). In addition, the detective 
was not seizing the files themselves, but the content within the files. In this case, 
the content was not in plain view. 


The court ruled that the discovery of the first child pornography image was 


admissible (the initial discovery), while all subsequent images discovered were 
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beyond the scope of the original warrant. As a result, the contents of a computer 
file are not considered in “plain view” since they must be opened in order to 
view them. This case established that when evidence is discovered (e.g., child 
pornography JPEG) related to a different crime (e.g., child pornography pos- 
session) outside the scope of the original warrant (searching for evidence related 
to drug trafficking), the investigator must stop the search entirely, and obtain a 
new warrant based on the newly discovered evidence. 

Finally, the role of consent is one of the most relevant exceptions to the 
warrant requirement. Fourth Amendment rights may be voluntarily waived, 
meaning a search without probable cause or a warrant may occur if a person 
who has authority over the place or items to be searched provides consent 
(Neubauer & Fradella, 2019). A consent search is made when an individual gives 
permission, voluntarily and without deceit, to law enforcement to conduct a 
search. Problems arise when the person providing the consent is not the same 
person who is being searched. 

Courts in the United States have ruled that law enforcement may obtain per- 
mission from third-party members so long as they share a common authority over 
the place or property being searched (see Illinois v. Rodriguez, 1990). In addition, 
the Supreme Court ruled that a warrantless search of a premise does not vio- 
late the Fourth Amendment if it occurred under the apparent authority principle 
(del Carmen & Hemmens, 2017), which states that if the police obtain consent 
to search a premise from someone whom they reasonably believe shares a common 
authority over said premises, it does not violate the Fourth Amendment even if 
the third-party member did not actually have the authority to give consent. 

A number of cases have challenged the exception to the warrant requirement 
as a result of third-party consent to search another person’s computer or elec- 
tronic devices. For instance, in United States v. Smith (1998), the defendant, 
David Smith, was convicted of possession and distribution of child pornogra- 
phy. The case began when Cindy Ushman contacted police and alleged that the 
computer contained child pornography images. The police received consent 
from Cindy Ushman to enter the premises to search for and seize the defend- 
ant’s computer. 

The child pornography evidence was retrieved from a computer that was 
located in the bedroom of his house, which he shared with Cindy Ushman and 
her two daughters. The defendant argued that the evidence was inadmissible 
since the search of the computer was conducted illegally because the consent 
given by Cindy Ushman did not extend to the bedroom which is where the 
computer was kept. Cindy Ushman, however, testified that the computer was 
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not password protected, was used by the entire family, and was kept in a com- 
mon area accessible to other family members. Based on this information, the 
Supreme Court ruled that a roommate has the legal authority to provide con- 
sent to a search and seizure of items and spaces that are shared with the defend- 
ant (United States v. Smith, 1998). 

In a hypothetical example, even though Kathy shares the same dormitory 
room as Joelle, she would only be able to provide consent to law enforcement 
if she also has access to and uses Joel’s computer as well. So if Kathy has joint 
access to Joelle’s computer, Kathy also has a shared common authority over said 
computer. But if Kathy uses a password to protect her computer, or locks it 
away in a desk drawer, and Kathy does not know the password or have a copy 
of the key, she no longer shares a common authority over the computer. In this 
case, Kathy would be unable to provide legal consent for law enforcement to 
search for and seize Joelle’s computer since it is secured. 

In general, the courts have ruled that roommates, apartment managers, 
spouses, and employees/employers may provide consent to law enforcement 
if they have a shared authority over the space or objects to be searched (see del 
Carmen & Hemmens, 2017). Parents can give consent to search a child’s com- 
puter so long as the child is dependent on the parents, meaning the child is a 
minor and is not paying rent. If the child is a legal adult (over the age of 18 years 
in the United States), parents are not able to provide legal consent to search the 
child’s room without a warrant so long as the child is paying rent to the parents 
(see United States v. Rith, 1999; United States v. Whitfield, 1991). 


The Fifth Amendment 


As discussed in Chapter 15, two of the greatest obstacles for digital forensics 
examiners are password-protected and encrypted files (Casey, 2011; Kavrestad, 
2020). Password-protected files are locked files that require a password to gain 
access, which prevents other people from opening or modifying these files 
(Britz, 2013; Kavrestad, 2020). Encryption is the process of transforming text, 
such as an email, through the use of mathematical algorithms so that it is no 
longer legible to others (Casey, 2011; Kessler, 2000; Sammons, 2015). Most 
encryption programs require an access key, which is essentially a password that 
unlocks the file so that the same algorithm that encrypted the information is 
now used to decrypt it. Digital forensics examiners can use specialized programs 
to break encryption and crack passwords. There are, however, some encryption 


and password-protected files that have proven resilient and unbreakable. 
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Many countries are considering whether a suspect can be compelled by a 
court of law to provide an encryption key or password. In the United States, 
this specifically becomes a Fifth Amendment issue. The Fifth Amendment of 


the United States constitution reads: 


3 person shall be held to answer for a capital, or otherwise infamous crime, 
unless on a presentment or indictment of a Grand Jury, except in cases arising 
in the land or naval forces, or in the Militia, when in actual service in time 
of War or public danger; nor shall any person be subject for the same offense 
to be twice put in jeopardy of life or limb; nor shall be compelled in any 
criminal case to be a witness against himself, nor be deprived of life, liberty, 
or property, without due process of law; nor shall private property be taken 
for public use, without just compensation. 


In general, the Fifth Amendment lists specific constitutional rights protected 
within the criminal justice system (Garcia, 2002). First, a person accused of a 
crime must be indicted by a grand jury, a group of people who determine 
whether or not there is enough evidence to formally charge the individual 
with a crime. Second, the double jeopardy clause states that an individual 
is protected from being prosecuted or punished twice for the same crime. For 
example, in 1995, OJ Simpson was found not guilty of murdering his ex-wife 
Nicole Brown Simpson and her friend Ron Goldman. Even if evidence resur- 
faced that proved OJ Simpson was guilty, the Fifth Amendment states that that 
he could not be charged and prosecuted twice for the same crime due to the 
double jeopardy clause (see Box 16.3). 

Next, the Fifth Amendment protects criminal defendants from self-incrimi- 
nation, meaning giving a statement that might expose oneself to punishment for 
a crime (Garcia, 2002). This section of the Fifth Amendment is known as the 
self-incrimination clause. During a trial, the defendant may “plead the Fifth,” so 
they do not have to answer any questions or provide testimony that might be 
self-incriminating. As a result of Miranda v. Arizona (1966), the Fifth Amend- 
ment was extended to not only include trial testimony but also statements made 
while in police custody. In the United States, the police are required to read the 


suspect his/her Miranda rights before questioning: 


You have the right to remain silent. Anything you say can and will be used 
against you in the court of law. You have the right to talk to a lawyer and 
have him or her present with you while you are being questioned. If you 
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Box 16.3 Double Jeopardy 
Double Jeopardy: Getting Away with Murder 


http://abcnews.go.com/US/double-jeopardy-murder/story?id= 
14230469&singlePage=true 


OJ Simpson may be the most famous name associated with double 
jeopardy. In 1995, Simpson was acquitted in the killing of his ex-wife 
Nicole Brown Simpson and her friend Ron Goldman. 11 years later ... 
Simpson was writing a book tentatively titled “IfI did it” ... which left 
people wondering why Simpson could not be re-tried for the murders 
if he confessed or if new details came to light. 


This article explains double jeopardy and provides examples of recent 


cases in which the public wanted someone tried a second time. 


cannot afford to hire a lawyer, one will be appointed to represent you before 
any questioning, if you wish. 
(Miranda v. Arizona, 1966) 


If a suspect waives his/her Miranda rights, any statements made to the police by 
the suspect may be used as evidence in a court of law. However, Griffin v. Cal- 
ifornia (1965) ruled that exercising Fifth Amendment rights to not testify should 
not be used as evidence of guilt. Essentially, if you decide to “plea the Fifth” 
and not testify or answer any questions, your silence cannot be used against you 
as evidence of your guilt. 

Fourth, the due process clause states that the government cannot deprive 
someone of “life, liberty, or property” without due process, meaning the gov- 
ernment must follow rules and procedures for conducting legal procedures to 
limit arbitrary decisions (see Garcia, 2002; Wasserman, 2004). Finally, the last 
section of the Fifth Amendment is referred to as the just compensation clause 
and states that any property taken by the government must be for public use 
and the owner must be fully reimbursed its market value (see Schultz, 2009). 
Overall, the Fifth Amendment provides several different protections against the 


federal government, but the most relevant clause surrounding digital investiga- 


tions is the right against self-incrimination. 
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Protection Against Self-Incrimination 


In order for personal statements to be protected under the Fifth Amendment, 
they must be compelled, testimonial, and incriminating in nature (Fisher v. 
United States, 1976). Any statements made voluntarily (i.e., not compelled) are 
not protected under the Fifth Amendment. In addition, the statement must 
be testimonial, meaning oral or written communication, rather than physi- 
cal evidence (e.g., blood samples, fingerprints; see Doe v. United States, 1988). 
However, there are gray areas as to types of physical evidence that may be 
protected under the Fourth and Fifth Amendments. For example, at a federal 
level, the Supreme Court has not interpreted the Fourth Amendment to include 
radio-frequency identification (RFID). RFID is a technology that uses radio 
waves at different frequencies to transfer data between tags and readers (US Food 
& Drug Administration; FDA, 2018). RFID technology has several uses in the 
healthcare sector, such as out-of-bed detection, fall detection, and equipment/ 
personnel/medication tracking (FDA, 2018). In addition, RFID is also used in 
subcutaneous human implants — a microchip the size of rice (Herbert, 2006; see 
Figure 16.3). According to the American Civil Liberties Union (ACLU), pri- 
vacy concerns around RFID could allow for the tracking of individuals (Smith, 
2008). Future case law and further advancements in human implants will likely 
dictate future use of implants as compulsory evidence. Some states have made 
judgments regarding employees who have implants and their privacy rights, but 
these states are not consistent and do not have a federal effect (Turner, 2020). 
Finally, the Fifth Amendment protects individuals from making statements 
that are incriminating, meaning statements that imply one’s guilt or provide 
evidence that can be used against them in a court of law. This clause becomes 
extremely important when a suspect is compelled to provide the encryption 
key or password to an electronic device that may contain incriminating files. 
For example, in 2007, Sebastien Boucher crossed the Canadian border into 
the United States and the officers found a laptop computer in the back seat 
of his car (In re Boucher, 2007). The officer searched the computer and found 
approximately 40,000 files that contained child pornography. After arresting 
Boucher, the examiner identified a hard drive that was protected by the encryp- 
tion software, Pretty Good Privacy (PGP), which requires an encryption key or 
password to unlock the drive (see Chapter 15; In re Boucher, 2007). In addition, 
a computer forensics expert from the United States Secret Service claimed it 
would take approximately two years to break the PGP encryption. The grand 


jury subpoenaed Boucher for the encryption key to unlock the computer drive. 


FID human 
microchip 
implant used 
to access an 
exterior door 
of a building, 
implanted in 
the web of the 


user’s hand 


Source: Image 
courtesy of 
Brock Warner, 
a PhD student 
and biohacker 
at Purdue 
University’s 
Department of 
Computer and 
Information 
Technology 
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A subpoena is a court order requiring a person to appear before a grand jury or 
produce documents (Neubauer & Fradella, 2019). 

Boucher argued that providing the encryption key violated his Fifth Amend- 
ment right against self-incrimination. The United States District Court of 
Vermont had to determine if Fifth Amendment privilege applied to this case. 
First, the court agreed that the act of requesting a subpoena involved compulsion 
since it requires compliance. In addition, the court agreed that providing the 
password would be incriminating since the government argued that the computer 
contained child pornography. 

The last requirement was the most difficult to determine: whether the com- 
munication was considered testimonial. As discussed previously, testimonial 
refers to nonphysical evidence, so the court acknowledged that the contents 
(e.g., files) of the laptop computer were not privileged under the Fifth Amend- 
ment. In addition, the prosecutor acknowledged that if Boucher provided the 
encryption key to the grand jury it would be testimonial (In re Boucher, 2007). 
Instead of providing the password, the prosecutor argued that Boucher could 
simply enter the password into the computer while no one was observing or 
recording said password, which would still allow access to the hard drive with- 
out violating Boucher’s Fifth Amendment rights (In re Boucher, 2007). 

The Court ruled in favor of Boucher, stating that the act of entering a pass- 


word or encryption key is testimonial (In re Boucher, 2007): 


Entering a password into a computer implicitly communicates facts. By 
entering the password Boucher would be disclosing the fact that he knows 
the password and has control over the files. (p. 9) 


Essentially, the password is not a physical form of evidence. Compelling Boucher 
to provide his encryption key was tantamount to having the grand jury require 
Boucher to “display the contents of his mind to incriminate himself’ (In re 
Boucher, 2007, p. 16). 

The government appealed and revised the original subpoena in In re Boucher 
(2009) stating that they were not specifically seeking the password for the 
encrypted hard drive. Instead, they simply wanted Boucher to provide an 
unencrypted version of the hard drive to the grand jury. In this instance, the 
Court ruled in favor of the prosecutor since the law enforcement officer already 
knew that there was child pornography on the computer after Boucher initially 
opened the hard drive and showed him. They argued that since the government 


already knows that the drive exists, and the type of files that are on the drive, 
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Boucher’s Fifth Amendment rights cannot be violated when he produces an 
unencrypted version of the hard drive (In re Boucher, 2009). 

Similar cases have led to contradictory conclusions. For instance, Ramona 
Fricosu was compelled to provide the encryption key to her Toshiba laptop 
so that law enforcement could execute a previously authorized search war- 
rant (United States v. Fricosu, 2012). During the investigation, the defendant 
acknowledged that she was the sole owner of the computer and that the com- 
puter possibly contained information the authorities were searching for. Based 
on this evidence, the Court ruled that producing an unencrypted version of 
the laptop did not violate Fricosu’s Fifth Amendment rights since she acknowl- 
edged to law enforcement that the computer was hers and that it might contain 
incriminating information (United States v. Fricosu, 2012). 

The In re Doe (2012) case, heard in the Eleventh Circuit Court, ruled that 
the government wrongly charged John Doe with contempt of court when he 
refused to comply with a subpoena compelling him to provide the encryption 
key to his computer. In this case, the court lacked independent evidence that 
the encrypted hard drives contained incriminating evidence. Charging John 
Doe with contempt of court for refusing to provide his encryption key vio- 
lated his Fifth Amendment rights to protection against self-incrimination (In 
re Doe, 2012). 


For more on how the Fifth Amendment applies to encryption 
in the United States, go online to: http://arstechnica.com/tech- 
policy/2012/02/appeals-court-fifth-amendment-protections-can-apply- 
to-encrypted-hard-drives/ 


Key Disclosure 


Based on the current court cases in the United States, a person may be com- 
pelled to provide the encryption key or password for an electronic device so 
long as the government has independent evidence, not just mere suspicion, that 
the encrypted drive contains incriminating evidence. There is not, however, 
any specific key disclosure law in the United States. A key disclosure law is leg- 
islation that mandates a person to provide encryption keys or passwords to law 
enforcement for digital forensic investigations (see Westby, 2004). 

In the United States, there is an intense debate on whether a third-party, 
such as the manufacturer, may be ordered by the court to assist in the decryption 
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and/or unlocking of a suspect’s electronic device (Goel, 2016; Perez & Hume, 
2016). This issue gained national and international attention as a result of the 
San Bernardino shooting case, which became known as the FBI-Apple 
encryption dispute. On December 2, 2015, Syed Rizwan Farook and Tash- 
feen Malik shot and killed 14 and wounded 22 in a terrorist attack at the Depart- 
ment of Health’s holiday party in San Bernardino, California; the suspects fled 
the scene and were later killed in a shoot-out with law enforcement the same 
day (see Keneally & Shapiro, 2015). 

During the investigation, the FBI recovered Farook’s work phone, spe- 
cifically an iPhone 5C, model A1532; however, the phone was locked using 
a four-digit pin (In re Order Compelling Apple, 2016). On February 16, 
2016, Magistrate Judge Sheri Pym ordered Apple to provide three forms of 


technical assistance: 


e Allow the government to enter more than ten passcodes without the risk of 
the data being wiped after the tenth incorrect try (1.e., shut off the auto-erase 
function), 

e Automate the entry of those passcode combinations rather than have to enter 
them manually, and 

e Try back-to-back passcode attempts without the gradually increasing delays 
between attempts that are currently programmed into the system. 


It was not the first time that Apple was ordered to assist the government in 
unlocking an iPhone, but it was the first-time Apple was asked to write and 
install software on a specific device, which would assist the government during 
investigations (see Thompson & Jaikaran, 2016). In response, Apple immediately 
released a statement opposing the judge’s order that same day (see Box 16.4). 

On February 19, 2016, the United States Department of Justice filed a 
motion to compel Apple to comply with the February 16, 2016 court order (In 
re Government’s Motion to Compel, 2016). Apple filed a formal motion opposing 
the court’s order (In re Apple Inc’s Motion to Vacate, 2016) on February 25, 2016 
citing it violated First and Fifth Amendment rights (Benner et al., 2016). 

The first hearing to settle the debate between Apple and the Department 
of Justice was set for March 22, 2016. The Department of Justice applied for 
a continuance on March 2nd, citing an outside party demonstrated a possible 
method for unlocking the iPhone. They claimed they needed time to test this 
method, and if it worked, it would eliminate the need for Apple’s assistance in 
the case (In re Government’s Ex Parte, 2016). On March 28th, the Department of 


Legal Challenges in Digital Investigations 


Box 16.4 Apple, the FBI, and iPhone 
Security Features 


Excerpt from Apple’s “Message to Our Customers” 


Full letter available at: http://www.apple.com/customer-letter/ 


A Message to Our Customers: 


The United States government has demanded that Apple take an 
unprecedented step which threatens the security of our customers. 
We oppose this order, which has implications far beyond the legal 
case at hand. 


We have great respect for the professionals at the FBI, and we believe 
their intentions are good. Up to this point, we have done everything that 
is both within our power and within the law to help them. But now the 
US government has asked us for something we simply do not have, and 
something we consider too dangerous to create. They have asked us to 
build a backdoor to the iPhone. 

Specifically, the FBI wants us to make a new version of the iPhone 
operating system, circumventing several important security features, and 
install it on an iPhone recovered during the investigation. In the wrong 
hands, this software — which does not exist today — would have the poten- 
tial to unlock any iPhone in someone’s physical possession. 

The FBI may use different words to describe this tool but make no 
mistake: building a version of iOS that bypasses security in this way 
would undeniably create a backdoor. And while the government may 
argue that its use would be limited to this case, there is no way to guar- 
antee such control. 


A Dangerous Precedent 

Rather than asking for legislative action through Congress, the FBI is 
proposing an unprecedented use of the All Writs Act of 1789 to justify an 
expansion of its authority. 

The government would have us remove security features and add 
new capabilities to the operating system, allowing a passcode to be input 
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electronically. This would make it easier to unlock an iPhone by “brute 
force,” trying thousands or millions of combinations with the speed of a 
modern computer. 

The implications of the government’s demands are chilling. If the 
government can use the All Writs Act to make it easier to unlock your 
iPhone, it would have the power to reach into anyone’s device to 
capture their data. The government could extend this breach of pri- 
vacy and demand that Apple build surveillance software to intercept 
your messages, access your health records or financial data, track your 
location, or even access your phone’s microphone or camera without 
your knowledge. 

Opposing this order is not something we take lightly. We feel we must 
speak up in the face of what we see as an overreach by the US government. 

We are challenging the FBI’s demands with the deepest respect for 
American democracy and a love of our country. We believe it would be 
in the best interest of everyone to step back and consider the implications. 

While we believe the FBI’s intentions are good, it would be wrong for 
the government to force us to build a backdoor into our products. And 
ultimately, we fear that this demand would undermine the very freedoms 
and liberty our government is meant to protect. 

Tim Cook, Apple CEO 


Justice officially withdrew its legal action against Apple citing it was successful 
in accessing the stored data on Farook’s iPhone and no longer needed Apple’s 
assistance in the case (In re Government’s Status Report, 2016). 

The Department of Justice never revealed the identity of the outside party, 
but FBI Director James Comey stated the government “paid a lot” for the tool — 
approximately $1.3 billion (Barrett, 2016). A lawsuit was filed under the Free- 
dom of Information Act by several news organizations (i.e., Associated Press, USA 
Today, Vice Media) to compel the FBI to provide information regarding the 
purchase of the iPhone access tool (News Organizations vs. FBI, 2016). Since the 
Department of Justice dropped its case against Apple, it is unknown how 
the courts would have ruled. There is no doubt that another case will renew this 
debate on whether a third-party, such as the manufacturer, may be ordered by 
the court to assist in the decryption and/or unlocking of a suspect’s electronic 


device (see Chapter 2 for more detail). 
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For more information on the lawsuit filed under the Freedom of 
Information act against the FBI, visit: https://assets.documentcloud. 
org/documents/3109606/16-Cyv-1850-Dkt-No-1-Complaint.pdf 


Unlike the United States, there are several countries that have specific key 
disclosure laws that require a suspect to provide all encryption keys and pass- 
words during a digital investigation (see Koops, 2013; Madsen & Banisar, 
2000), such as the United Kingdom’s Regulation of Investigatory Powers 
Act (RIPA). This law mandates key disclosure so long as law enforcement 
obtains signed authorization from a high-ranking official (e.g., judge, chief of 
police) using a specialized form known as a Section 49 request (Madsen & 
Banisar, 2000). 


For more on Section 49 requests, go online to: http://www.washing- 
tonpost.com/wp-dyn/content/article/2007/10/01/AR2007100100511. 
html 


In addition, the Australian Cybercrime Act 2001 inserted a new section into 
the Crimes Act 1914 giving law enforcement the ability to compel a person 
to provide all encryption keys or passwords when investigating a computer- 
related crime (James, 2004). Failure to comply with this law may result in a 
six-month jail sentence. In Malaysia, the Communications and Multimedia Act 
1998 allows law enforcement conducting a search to compel a suspect to pro- 
vide all encryption keys or passwords in order to search the computerized data 
(The Commissioner of Law Revision, 2006). Similar to Australian law, a person 
in Malaysia who refuses to provide the encryption keys could be fined and/or 
imprisoned for six months. 

In India, the punishment is even harsher according to Section 69 of the 
Information Technology Act of 2008 in that a person may be sentenced to 
seven years in prison for failure to assist an agency with the decryption of infor- 
mation or failure to provide information stored on a computer (Information 


Technology Act, 2008). Although a few countries have implemented key dis- 


closure mandates, there are many more that have no policies at all regarding 
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lawful access to encrypted or password-protected electronic devices (e.g., 
Argentina, Czech Republic, Greece; see Koops, 2013). 


For a world map of encryption laws and policies, go online to: 


https://www.gp-digital.org/world-map-of-encryption/ 


Overall, there are no consistent guidelines on how the law should balance one’s 
privilege against self-incrimination and diminishing obstruction of justice for cases 
involving encrypted or password-protected digital devices. With the rise in encryp- 
tion use, there is no doubt that law enforcement will continue to face the chal- 
lenge of overcoming encryption and password-protected devices (see Chapter 15). 
However, even if a suspect is compelled to provide the encryption key or pass- 


word, the evidence derived must still be admissible in a court of law. 


Admissibility of Evidence in Court 
Overview 


As discussed in Chapter 15, it is important for law enforcement to verify that the 
digital forensic tools are producing reliable evidence in order to meet admissi- 
bility standards in a court of law (Garfinkel, 2013; National Research Council, 
2009). Digital forensics tools must be able to replicate the same results when 
using the exact same methodology (1.e., repeatability). Also, they must be able 
to yield the same results even in a different testing environment (i.e., reproduc- 
ibility; see NIST, 2003). Both are necessary in order for the digital evidence to 
be admissible in the court of law. In addition, the digital forensic technician is 
responsible for documenting which tools were used during the forensic exami- 
nation as well as the date and time of evidence preservation. 

Digital forensic technicians should be prepared to testify in court regarding 
all stages of the digital forensic investigation (see Chapter 15). If the examiner 
lacks transparency, all of these stages could be scrutinized in a court of law. 
Transparency of the digital forensics process makes it easier for the courts to 
determine the validity of the process, and by extension easier to determine 
whether the digital evidence is admissible in a court of law. 

Admissibility is the process of determining whether evidence will assist the 
fact finders (e.g., judge) through their decision-making process. The judge 
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determines whether the digital evidence is admissible in court based on different 
standards for evaluating the relevance and reliability of the evidence. Evidence 
is considered relevant when it can make the fact presented in a case more or less 
probable, and evidence that does not tend to prove or disprove a presented fact 
in a case is deemed irrelevant, therefore inadmissible (Federal Rules of Evidence 
2010, pp. 401-402; Neubauer & Fradella, 2019). Reliability refers to the accu- 
racy of the evidence deemed relevant to a case. 

In the United States, the civil case of Lorraine v. Markel American Insurance 
Company (2007) established guidelines for assessing the admissibility of digi- 
tal evidence. Jack Lorraine and Beverly Mack were suing Markel American 
Insurance Company for damages that were covered by the insurance policy 
after their yacht was struck by lightning. After electronic evidence consist- 
ing of emails was ruled inadmissible, the judge highlighted five evidentiary 
issues when assessing the admissibility of electronic evidence: relevance, 
authenticity, not hearsay or admissible hearsay, original writing rule, and not 
duly prejudicial (Lorraine v. Markel American Insurance Company, 2007). These 
issues are addressed individually by the Federal Rules of Evidence (FRE), 
which govern the admissibility of evidence in federal court proceedings in 
the United States. 

First, FRE 401 defines relevance as the tendency to make the fact being pre- 
sented in a case more or less probable. Second, authenticity refers to the ability 
to prove that the evidence is genuine. According to FRE 901, “the proponent 
must produce evidence sufficient to support a finding that the item is what the 
proponent claims it is.” In cases involving digital evidence (e.g., emails, web 
postings, digital photographs), authenticity is often challenged since electronic 
evidence can easily be deleted, corrupted, or modified (see Lorraine v. Markel 
American Insurance Company, 2007). Third, hearsay is considered second-hand 
evidence, meaning it is testimony not based on a first-hand or personal knowl- 
edge (FRE 801). Testimony that is hearsay is inadmissible because there is no 
way to validate its truthfulness. 

The fourth consideration is referred to as the original writing rule. According 
to FRE 1001-1008, the original writing rule states that the original evidence, 
rather than a duplicate, is generally required unless the duplicate can be authen- 
ticated and proven that its contents are the same as the original. The original 
writing rule is sometimes referred to as the best evidence rule (see Chapter 15). 
Lastly, FRE 403 states that evidence is not admissible, even if it is relevant, if 
it could unfairly bias, confuse, or mislead the fact finders (i.e., unfair prejudice; 
see Box 16.5). 
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Box 16.5 An Excerpt from the US Federal 
Rules of Evidence 


United States Federal Rules of Evidence 401-403 


ARTICLE IV. RELEVANCY AND ITS LIMITS 


Rule 401. Definition of “Relevant Evidence” 

“Relevant evidence” means evidence having any tendency to make the 
existence of any fact that is of consequence to the determination of 
the action more probable or less probable than it would be without 
the evidence. 


Rule 402. Relevant Evidence Generally Admissible; Irrelevant 
Evidence Inadmissible 

All relevant evidence is admissible, except as otherwise provided by 
the Constitution of the United States, by Act of Congress, by these 
rules, or by other rules prescribed by the Supreme Court pursuant to 
statutory authority. Evidence which is not relevant is not admissible. 


Rule 403. Exclusion of Relevant Evidence on Grounds of Prej- 
udice, Confusion, or Waste of Time 

Although relevant, evidence may be excluded if its probative value 
is substantially outweighed by the danger of unfair prejudice, 
confusion of the issues, or misleading the jury, or by considera- 
tions of undue delay, waste of time, or needless presentation of 


cumulative evidence. 


Overall, Lorraine v. Markel American Insurance Company (2007) outlined the 
importance of several legal issues when determining the admissibility of elec- 
tronic evidence in the United States. Other countries have developed admissibil- 
ity standards for electronic or digital evidence (e.g., Canada, Germany, United 
Kingdom, Philippines; see Bidgoli, 2006; Xue-Guang, 2011). For example, in 
2002, the Supreme Court of the Philippines amended the Philippine Rules of 
Electronic Evidence (PREE) to both criminal and civil court cases (Supreme 
Court Resolution, 2002). The PREE specifically outline the admissibility rules 
for electronic evidence compared to the Philippine Rules of Evidence (PRE), 
which is a separate standard for non-electronic evidence. The PREE has similar 
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criteria to the United States FRE for assessing the admissibility of electronic 
evidence, including the best evidence rule and an authenticity standard. 

In India, the Information Technology Act of 2000 was created to specif- 
ically address the increased use of technology to commit crimes (see Chapters 3, 
5, 6, and 9; Karia & Karia, 2012; Karia et al., 2015). In response to the Informa- 
tion Act of 2000, other amendments occurred to existing statutes, including the 
Indian Evidence Act of 1872 (Karia et al., 2015). The Indian Evidence Act 
of 1872 was ill-equipped for dealing with the increased number of documents 
that were being saved digitally as well as the presence of meta-data as evidence 
(Karia et al., 2015). 

In 2000, the Indian Evidence Act was amended to include the phrase “elec- 
tronic records” in the definition for “evidence” (Section 3), and in Section 17, the 
phrase “electronic records” was included in the definition of admission. However, 
it was not until the case of Anvar vs. Basheer & Others (2014) when the Supreme 
Court ruled that electronic records could not be admitted as prima facie evidence 
without authentication (Karia et al., 2015). Essentially, electronic evidence, with- 
out a certificate as stated under Section 65B of the Evidence Act cannot be proved 
by oral evidence (see Box 16.6). In addition, the opinion of the expert under Sec- 
tion 45A of the Evidence Act cannot be resorted to make such electronic evidence 
admissible. Overall, the court recognized that digital evidence may be tampered 
with and altered, so “... safeguards are taken to ensure the source and authentic- 
ity” (Anvar vs. Basheer & Others, 2014, p. 7), and according to Acharya (2014), 
“Anvar does for India what Lorraine did for the U.S. federal courts” (para 23). 


Box 16.6 Indian Evidence Act of 1872 


An Excerpt from the Indian Evidence Act of 1872 (Section 
65A and 65B) 


Section 65A: Special provisions as to evidence relating to elec- 
tronic record 
The contents of electronic records may be proved in accordance with 


the provisions of Section 65B. 
Section 65B: Admissibility of electronic records 


1 Notwithstanding anything contained in this Act, any information con- 
tained in an electronic record which is printed on a paper, stored, 
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recorded, or copied in optical or magnetic media produced by a com- 
puter (hereinafter referred to as the computer output) shall be deemed to 
be also a document, if the conditions mentioned in this section are satis- 
fied in relation to the information and computer in question and shall be 
admissible in any proceedings, without further proof or production of the 
original, as evidence of any contents of the original or of any fact stated 
therein or which direct evidence would be admissible. 

The conditions referred to in sub-section (1) in respect of a computer 

output shall be the following, namely: 

(a) the computer output containing the information was produced by 
the computer during the period over which the computer was used 
regularly to store or process information for the purposes of any 
activities regularly carried on over that period by the person having 
lawful control over the use of the computer; 

(b) during the said period, information of the kind contained in the 
electronic record or of the kind from which the information so con- 
tained is derived was regularly fed into the computer in the ordinary 
course of the said activities; 

(c) throughout the materiel part of the said period, the computer was 
operating properly or, if not, in respect of any period in which it 
was not operating properly or was out of operation during that part 
of the period, was not such as to affect the electronic record or the 
accuracy of its contents; and 

(d) the information contained in the electronic record reproduces or is 
derived from such information fed into the computer in the ordi- 
nary course of the said activities. 

Where over any period, the functions of storing or processing information for 

the purposes of any activities of any regularly carried on over that period as 

mentioned in clause (a) of sub-section (2) was regularly performed by com- 
puter, whether-by a combination of computers operating over that period; or 

(a) by different computers operating in succession over that period; or 

(b) by different combinations of computers operating in succession over 
that period; or 

(c) in any other manner involving the successive operation over that 
period, in whatever order, of one or more computers and one or 


more combinations of computers. 
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All the computers used for that purpose during that period shall be 
treated for the purposes of this section as constituting a single com- 
puter; and references in this section to a computer shall be construed 
accordingly. 

4 In any proceedings where it is desired to give a statement in evidence by 
virtue of this section, a certificate doing any of the following things, that 
is to say, 

(a) identifying the electronic record containing the statement and 
describing the manner in which it was produced; 

(b) giving such particulars of any device involved in the production 
of that electronic record as may be appropriate for the pur- 
pose of showing that the electronic record was produced by 
a computer; 

(c) dealing with any of the matters to which the conditions mentioned 
in sub-section (2) relate, and purporting to be signed by a person 
occupying a responsible official position in relation to the operation 
of the relevant device or the management of the relevant activities 
(whichever is appropriate) shall be evidence of any matter stated 
in the certificate; and for the purpose of this sub-section it shall be 
sufficient for a matter to be stated to the best of the knowledge and 
belief of the person stating it. 

5 For the purposes of this section, 

(a) information shall be taken to be supplied to a computer if it is sup- 
plied thereto in any appropriate form and whether it is so supplied 
directly or (with or without human intervention) by means of any 
appropriate equipment; 

(b) whether in the course of activities carried on by any official, infor- 
mation is supplied with a view to its being stored or processed for 
the purposes of those activities by a computer operated otherwise 
than in the course of those activities, that information, if duly sup- 
plied to that computer, shall be taken to be supplied to it in the 
course of those activities; 

(c) a computer output shall be taken to have been produced by a 
computer whether it was produced by it directly or (with or 
without human intervention) by means of any appropriate 
equipment. 
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Fig. 16.4 The 
scientific 
method. 
Following 

the scientific 
method in a 
digital forensic 
investigation 
will increase 
the likelihood 
of the examiner 
coming to an 
objective, valid 
conclusion as 
to whether 

the relevant 
findings refute 
or support 

the original 
hypothesis, 
such as whether 
a crime was 
committed 
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Along with these general admissibility criteria, there are specific standards set for 
the admissibility of scientific evidence in the United States. Scientific evidence is 
information derived from the scientific method that is relevant to the facts of a case. 
The scientific method is a “process that uses strict guidelines to ensure careful and 
systemic collection, organization, and analysis of information” (Saferstein & Roy, 
2021). The scientific method occurs in the following stages: observation, hypoth- 
esis, prediction, experimentation, and conclusion (Casey, 2011; see Figure 16.4). 

First, the scientific method begins with an observation followed by a ques- 
tion worth investigating. For example, consider the hypothetic case of Jai Max 
who is suspected of being a child pornography user after his wife overheard a 
conversation about viewing illicit images on the Internet. Law enforcement 
officers execute a legal search warrant and seize his laptop computer. Based on 
the facts of the case, the digital forensic examiner may ask whether or not there 
is evidence of Internet child pornography on the laptop. Next, a hypothesis is 


SCIENTIFIC EXPLANATION 
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generated, which is a reasonable explanation as to what might have occurred or 
why. In this case, the examiner may hypothesize that Jai Max was surfing the 
Internet and downloaded child pornography images. 

Based on the hypothesis, a prediction is a specific statement as to how you 
will determine if your hypothesis is true. For example, the digital forensic 
examiner may predict that Internet artifacts (e.g., browser history) and image 
files (e.g., JPEG) will be found on the suspect’s hard drive. Based on these 
predictions, the examiner will test the hypothesis by conducting a digital 
forensic examination and analysis of the imaged hard drive in search of evi- 
dence that will either support or refute the hypothesis (see Chapter 15). This 
stage is meticulously constructed in order to limit any bias or distortion of 
the evidence (see Saferstein & Roy, 2021). The final stage of the scientific 
method is drawing a conclusion, which is an overall summary of the findings 
derived from the examination. This conclusion will either support or refute 
the original hypothesis and should be objective and transparent. In the hypo- 
thetical case of Jai Max, the digital forensic examiner will conclude whether 
or not there is evidence of child pornography use on the suspect’s hard drive. 

In the United States, there are traditionally three standards for assessing the 
admissibility of scientific evidence from expert testimony: Frye, Daubert, and 
FRE 702. Each of these standards will be discussed in greater detail as it pertains 
to scientific evidence derived from digital forensic investigations. 


The Frye Standard 


In Frye v. United States (1923), the defendant, James Alphonso Frye, appealed 
his conviction of second-degree murder on the basis that the defense wanted 
to provide expert witness testimony on the results of a systolic blood pressure 
deception test. In Frye, the technology in question was a precursor to what is 
commonly referred to as the polygraph or lie detector test. The theory was that 
the rise in blood pressure is evidence that the person is lying, concealing facts, or 
guilty of a crime (Frye v. United States, 1923). The defense also offered to conduct 


the lie detector test in the courtroom. However, the prosecution argued that: 


.. while courts will go a long way in admitting expert testimony deduced 
from a well-recognized scientific principle or discovery, the thing from 
which the deduction is made must be sufficiently established to have gained 
general acceptance in the particular field in which it belongs. 

(Frye v. United States, 1923) 
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In its ruling, the District of Columbia Court of Appeals upheld the lower court’s 
decision that the expert witness’s testimony regarding the results of the lie detec- 
tor test was not admissible. Therefore, the Frye standard states that scientific 
evidence is only admissible if it is generally accepted as reliable by the scientific 
community (Frye v. United States, 1923). 

To determine if the evidence meets the Frye standard, the proponent 
of the evidence would have to present a collection of experts to testify on 
whether the technique or issue being presented is generally accepted by the 
relevant scientific community (Saferstein & Roy, 2021). Although quickly 
accepted as the standard for admitting expert testimony, legal scholars became 
concerned as to whether this standard was sufficient or flexible enough to 
recognize novel or controversial scientific breakthroughs that have not yet 
gained general acceptance in the scientific community (see Smith & Bace, 
2002; United States v. Downing, 1985; Watson & Jones, 2013). Despite these 
concerns, a few state court jurisdictions in the United States still adhere to the 
Frye standard of scientific evidence (e.g., Alabama, California, and Illinois). 
However, Rule 702 of the FRE replaced the Frye standard in the federal and 


some state jurisdictions. 


Federal Rules of Evidence 702 


Created in 1975, Article VII of the FRE outlined specific guidelines for the 
admissibility of expert witnesses’ testimony in Rule 702. The original version 
of FRE 702 stated: 


.. if scientific, technical, or other specialized knowledge will assist the trier 
of fact to understand the evidence or to determine a fact in issue, a witness 
qualified as an expert by knowledge, skill, experience, training, or education, 


may testify thereto in the form of an opinion or otherwise (1975). 


In the United States, Rule 702 superseded the Frye standard at the fed- 
eral level (Marsico, 2005). Many state jurisdictions were confused as to 
whether this standard was an addition to or replacement of the Frye stand- 
ard. In addition, the original FRE 702 standard was rather ambiguous as to 
how the court was to determine whether someone was qualified to be an 
expert witness. In 1993, the debate on the admissibility standard for scien- 
tific expert witness testimony all changed with the landmark case Daubert v. 


Merrell Dow Pharmaceuticals. 
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The Daubert Standard 


In 1993, the US Supreme Court ruled on a case where the plaintiffs, two minors 
and their parents, sued Merrell Dow Pharmaceuticals claiming that the drug 
Benedictine caused the children’s birth defects since it was ingested during 
pregnancy by the mothers (Daubert v. Merrell Dow Pharmaceuticals, 1993). The 
case was eventually heard by the US Supreme Court. Both sides presented 
expert witness testimony. Merrell Dow Pharmaceuticals presented an expert’s 
affidavit, which summarized the published scientific literature and concluded 
that the drug did not have a history of causing human birth defects. This expert 
witness testimony was ruled admissible by the court. 

When the plaintiffs presented eight experts who testified that the drugs 
did in fact cause birth defects in animal research, the court ruled that this 
evidence was inadmissible because it did not meet the FRE 702 standards for 
admissibility. Specifically, the US Supreme Court ruled, “general accept- 
ance is not necessary precondition to the admissibility of scientific evidence 
under the Federal Rules of Evidence” (Daubert v. Merrell Dow Pharmaceuti- 
cals, 1993). 

In addition, Daubert v. Merrell Dow Pharmaceuticals (1993) held that any 
scientific expert testimony presented in federal court must undergo a reliability 
test. This reliability test is an independent judicial assessment, which is deter- 
mined by the trial judge, and is known as a Daubert hearing. The Supreme 
Court’s intention through this test was to end the “battle of the experts.” In 
addition, the US Supreme Court stated that the FRE imply that the judge acts as 
a gatekeeper, meaning the person responsible for assessing both the relevancy 
and reliability of the scientific evidence. In other words, “the responsibility of a 
judge in a Daubert hearing is to determine whether the underlying methodol- 
ogy and techniques that have been used to isolate the evidence are sound, and 
whether as a result, the evidence reliable” (Watson & Jones, 2013). By acting as 
a gatekeeper, the trial judge is responsible for keeping junk science out of the 
courtroom. 

Daubert v. Merrell Dow Pharmaceuticals (1993) suggested four criteria for 
determining whether the relevant scientific evidence, theory, or study is reliable, 


therefore admissible, in court: 


1 Testing: Has the theory or technique been empirically tested? 
2 Publication: Has the theory or technique been subjected to peer review and 


publication? 
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3 Error Rate: What is the known or potential rate of error? 
4 Acceptance: Has the theory or technique been generally accepted within the 


relevant scientific community? 


These criteria for determining the reliability and admissibility of scientific evi- 
dence became known as the Daubert standard. In the Daubert v. Merrell Dow 
Pharmaceuticals (1993) ruling, the Supreme Court did not specify whether some 
or all of these criteria are required in order for the scientific evidence to be 
admissible in court. Instead, it is up to the trial judge to determine which criteria 
are applicable to the scientific technique, theory, or study being examined at the 
Daubert hearing. 

Initially, the Daubert standard only applied to scientific evidence. However, 
in 1997, the court ruled in General Electric Co. v. Joiner (1997) that not only 
was the scientific evidence itself under review but the methodology and reliabil- 
ity of an expert’s reasoning process are also vulnerable to scrutiny under Daubert. 
The court has judicial discretion when determining if “there is simply too great 
an analytical gap between the data and the opinion proffered” for it to be admis- 
sible as scientific evidence in court (General Electric Co. v. Joiner, 1997). 

In 1999, the Daubert standard was extended to all expert testimony that 
involves scientific, technical, or other specialized knowledge in Kumho Tire Co. 
v. Carmichael (1999). In this case, the judge stated that since Rule 702 of the FRE 
does not make a distinction between “scientific, technical, and other specialized 
knowledge,” then the Daubert standard applies to each of these expert disciplines to 
assess reliability and admissibility. Overall, the current interpretation of the Daubert 
standard is really a summary of these three cases, Daubert v. Merrell Dow Pharmaceu- 
ticals (1993), General Electric Co. v. Joiner (1997), and Kumho Tire Co. v. Carmichael 
(1999), which are sometimes referred to as the Daubert trilogy (Berger, 2000). 

In 2000, Rule 702 of the FRE was amended to include the Daubert standard 
for determining the reliability and admissibility of expert witness testimony. In 
its most recent version, amended in 2011, Rule 702 of the FRE now states that 
a witness who is qualified as an expert by knowledge, skill, experience, training, 


or education may testify in the form of an opinion or otherwise if: 


1 the expert’s scientific, technical, or other specialized knowledge will help the 
trier of fact to understand the evidence or to determine a fact in issue; 

2 the testimony is based on sufficient facts or data; 

3 the testimony is the product of reliable principles and methods; and 

4 the expert has reliably applied the principles and methods to the facts of the case. 
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Overall, in the United States, the Daubert standard has had a significant impact 
on the way expert witness testimony is evaluated in the federal courtroom, as 
well as in most states. However, some states still apply the Frye standard or have 
adopted a standard of their own. Regardless, the field of digital forensics must 


be prepared to be scrutinized in the courtroom. 


International Response to Daubert and Frye 


The Daubert and Frye standards have spurred international recognition for 
the need to keep junk science out of the courtroom. According to the Law 
Reform Commission of Ireland (2008), the legal reform in the United 
States (1.e., Frye and Daubert) has been the “main catalyst for reform inter- 
nationally ... for developing admissibility criteria based on the reliability of 
evidence” (pp. 104-105). The Law Reform Commission of Ireland is an 
independent statutory body established by the Law Reform Commission Act 
of 1975. The primary role of the Law Reform Commission is to review 
and conduct research to determine if the law needs to be revised or simpli- 
fied, and, specifically, one of the Law Reform Commission’s projects was to 
evaluate the standards and procedures for evaluating scientific evidence (Law 
Reform Commission, 2008). 

In 2008, the Consultation Paper on Expert Evidence was released by the Law 
Reform Commission. In this report, the Commission summarized the case law 
from several countries that appeared to be moving toward a Daubert-like stand- 
ard for assessing the reliability of expert witness testimony (e.g., Australia, Eng- 
land, and Wales). The report also weighed the advantages and disadvantages of 
implementing a reliability test for Irish courts similar to the Daubert standard in 
the United States. Overall, the Law Reform Commission recommended that 
Ireland also adopt a reliability test for assessing the admissibility of all expert 


testimony (see Law Reform Commission, 2008). 


Admissibility of Digital Forensics as Expert Testimony 


According to Casey (2011), the digital forensics tools and techniques have suc- 
cessfully withstood the courts’ assessment of reliability and admissibility as sci- 
entific evidence. However, the ever-changing growth in technology makes it 
difficult to test and evaluate the variety of digital forensic tools in a quick and 


efficient manner. For example, as discussed in Chapter 14, NIST, an agency of 


the United States Department of Commerce, launched the Computer Forensic 
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Tool Testing project (CFTT) to “provide unbiased, open, and objective means 
for manufacturers, law enforcement, and the legal community to assess the 
validity of tools used in computer forensics” (NIST, n.d.). In addition, CFTT 
determines whether the results of the tools are repeatable and reproducible, 
both of which are needed to assess “trueness and precision” (NIST, 2003, p. 4). 
According to NIST, there are myriad different digital forensic tools currently in 
use by law enforcement worldwide (NIST, n.d.). 

Although these goals clearly reflect the Daubert standards, the major weak- 
ness of the CFTT project is the amount of time required to conduct these empir- 
ical evaluations (Flandrin et al., 2014). Therefore, “by the time the results are 
publicly available, the version of the tested tool might be deprecated” (Flandrin 
et al., 2014, p. 2). In addition, the time required to test the tools, as well as 
the fact many of these tools’ source codes are proprietary, make it difficult to 
determine known error rates (Carrier, 2003; Casey, 2019; Meyers & Rogers, 
2004). Still, the two most common digital forensics imaging tools, EnCase® 
and Forensic Toolkit", along with others have met the Daubert standard for 
admissibility (see Chapter 15; Casey, 2019; Guidance Software, Inc., 2003; 
Leehealey et al., 2012). For example, the general acceptance of EnCase and 
FTK by the scientific community was noted in the court case United States v. 
Gaynor (2008). In addition, EnCase and FTK have been extensively tested by 
the CFTT project. 

Finally, not only is the actual digital forensic evidence being reviewed, but 
the credentials of the digital forensic examiner or expert also fall within the 
Daubert reliability test. This includes the digital forensic examiner’s education, 
experience, training and professional credentials. This may be a problem in 
the field of digital forensics, which does not have a set standard for certify- 
ing digital forensic examiners (Casey, 2019; Meyers & Rogers, 2004). In fact, 
there is a wide variability of certifications available for digital forensic examin- 
ers. There are currently a number of professional certifications available, both 
vendor neutral (e.g., GIAC Certified Forensic Analyst) and vendor specific (i.e., 
tool specific, such as EnCase® Forensic Training Series; Ryan & Ryan, 2014). 
Thus, there is no standardized list of certifications or qualifications required in 
the digital forensics discipline in order to be considered a digital forensics pro- 
fessional or expert. 

Although the field of digital forensics is in its infancy, it has quickly gained 
recognition as a legitimate sub-discipline within the forensic sciences (see Chap- 
ter 14). For example, the American Academy of Forensic Science (AAFS) for- 
mally recognized the field of digital forensics in 2008 with the creation of the 
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Digital and Multimedia Sciences section — the first section added to the AAFS 
in 28 years. 

In addition, a number of peer-reviewed journals have emerged, including 
the Journal of Digital Forensics, Security, and Law, Digital Investigation, IEEE Trans- 
actions on Information Forensics and Security, and the International Journal of Digital 
Crime and Forensics. Thus, the peer recognition and publication prong of the 
Daubert standard has clearly gained momentum within the past decade for the 
field of digital forensics. 

Being well versed on the extensive body of case law and federal regulations 
pertaining to the role of digital evidence is a difficult task. In a study by Losavio 
et al. (2006), state general jurisdiction judges from around the country were 
surveyed to gain insight as to exactly what they know about digital forensics. 
Losavio et al. (2006) found that the judges in the study admitted to a low level 
of understanding and training with digital evidence in the courtroom. 

At the same time, judges displayed an eagerness to gain understanding through 
effective training methods. Since then, several government agencies and public- 
private partnerships have emerged around the country to address this gap in judi- 
cial experience. One of the most successful programs is the National Computer 
Forensics Institute (NCFI), a division of the United States Secret Service located 
in Hoover, Alabama. The NCFI is a training center operated by the United States 
Secret Service’s Criminal Investigative Division and the Alabama Office of Pros- 
ecution Services with the mission of providing high-quality, hands-on experience 
to law enforcement personnel around the country (see www.ncfi.usss.gov). In fact, 
they offer three courses designed for prosecutors and judges regarding digital foren- 
sic analyses at no cost. Overall, with the Internet’s growth and the corresponding 
increase in technology-facilitated crime, it is essential and inevitable that training 


and educational programs emerge for all members of the criminal justice system. 


Summary 


This chapter highlighted the challenges that digital evidence and investigators 
may face in presenting evidence at trial. The issue of compelling information 
sharing via key disclosure is also challenging, with no real global standard in 
place. These factors all demonstrate that the entire digital forensics process is 
under scrutiny, and the validity of digital forensics is assessed by whether or not 
the evidence is admissible in a court of law. Overall, technology is constantly 


changing so it is inevitable that national and international case law and federal 


regulations will change as well. 
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Key Terms 


Access key 

Admissibility 

Affidavit 

Amendment 

Apparent authority principle 
Arrest warrant 

Authenticity 

Best evidence rule 

Beyond a reasonable doubt 
Bill of Rights 

Cloud storage 
Communications and Multimedia Act 1998 
Compelled 

Conclusion 

Cybercrime Act 2001 
Daubert hearing 

Daubert standard 

Daubert trilogy 

Daubert v. Merrell Dow Pharmaceuticals (1993) 
Double jeopardy clause 

Due process clause 
Encryption 

Examination 

Exigent circumstance 
FBI-Apple encryption dispute 
Federal Rules of Evidence (FRE) 
Fifth Amendment 

Fisher v. United States, 1976 
Fourth Amendment 

FRE Rule 401 

FRE Rule 702 

FRE Rule 801 

FRE Rule 901 

Frye standard 


662 


Legal Challenges in Digital Investigations 


Frye v. United States (1923) 

Gatekeeper 

General Electric Co. v. Joiner (1997) 
Grand jury 

Hearsay 

Hypothesis 

In re Boucher (2007) 

Indian Evidence Act of 1972 
Information Technology Act of 2000 
Information Technology (Amendment) Act of 2008 
Incriminating 

Just compensation clause 

Katz v. United States (1967) 

Key disclosure law 

Kumho Tire Co. v. Carmichael (1999) 
Law Reform Commission 

National Computer Forensic Institute 
Observation 

Open field searches 

Original writing rule 
Password-protected files 

Philippine Rules of Electronic Evidence (PREE) 
Plain view doctrine 

Prediction 

Preponderance of evidence 

Probable cause 

Radio-frequency identification (RFID) 
Reasonable expectation of privacy 
Reasonableness clause 

Regulation of Investigatory Powers Act (RIPA) 
Relevant 

Reliability 

Right to privacy 

San Bernardino Case 

Scientific evidence 

Scientific method 
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Search 

Search and seizure 

Search incident to arrest 
Search warrant 

Section 49 request 
Self-incrimination 
Self-incrimination clause 
Seizure 

Standard of proof 
Subpoena 

Testimonial 

Traffic stop 

Unfair prejudice 

United States Constitution 
United States v. Fricosu (2012) 
United States v. Smith (1998) 
‘Warrant 

Warrants clause 


Discussion Questions 


1. There are a number of exceptions to the warrant requirement for a search 
and seizure. Identify five different exceptions to this rule and create a 
different scenario for each that would involve the search and seizure of 
electronic evidence. 

2. Identify the four criteria for determining whether digital forensic expert 
testimony is admissible in court according to the Daubert standard. Assess 
each of these criteria and explain whether or not digital forensic evidence 
should be admissible in court. 

3. There are inconsistencies between national and international laws on 
a variety of legal issues associated with digital forensic investigations. 
Describe two of these inconsistencies and discuss whether or not a uni- 
versal, international law or policy is possible regarding the treatment of 
digital forensic evidence in court. 
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4. Create two different scenarios involving third-party consent to con- 
duct a search and seizure. In the first scenario, the third-party mem- 
ber is not legally able to provide consent to law enforcement. In the 
second scenario, the third-party member is able to provide consent 
to law enforcement to conduct a search and seizure. Finally, do you 
agree with the current interpretation of the apparent authority prin- 


ciple? Explain. 
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Chapter Goals 


e Identify future trends in cybercrime offending and victimization 

e Recognize the prospective impact that new technologies will have on 
human behavior 

e Understand the ways that the proliferation of social media may influ- 
ence the nature of involvement in terror and extremist movements 
worldwide 

e Assess the ways that criminological theory can be improved with 
respect to cybercrime 

e Understand the ways that law enforcement strategies may need to 
adapt to online spaces 

e Recognize how digital forensics will evolve with technology generally 


Introduction 


The range of cybercrimes discussed throughout this book illustrates the com- 
plexity of these offenses and the unique ways that technology is being used by 
criminals to hide themselves, make it easier to engage in crimes on and offline, 
and connect with others. Since technology is constantly changing, it is difficult 
to know when or how offenders will adopt a new mode of offending based on 
access to the Internet. 

This issue was exemplified on December 11, 2016, when John Rayne Riv- 
ello, using the twitter handle @jew_goldstein, sent an animated gif, or Graphic 
Interchange Format image, to journalist Kurt Eichenwald’s twitter account 
(Kang, 2017). A gifis a series of images that are strung together to create a short 
animated scene, typically featuring cats, celebrities, or scenes from popular films. 
In this case, Rivello created a gif that acted as a strobe light to flash bright lights 
on and off in the hopes of causing Eichenwald, an epileptic, to have a seizure. 
In addition, the images contained the message “you deserve a seizure for your 
posts,” suggesting the sender intended to cause Eichenwald harm (Kang, 2017). 

Rivello was angry at Eichenwald, an investigative journalist who had worked 
for New York Times, Vanity Fair, and Newsweek, for his critical stories detailing 
the potential criminal activities of Donald Trump throughout the presidential 
election. Eichenwald’s work drew a great deal of fire from Trump supporters 
online who would frequently spam him with anti-Semitic messages and death 


threats. Rivello felt that Eichenwald deserved to be punished for his comments 
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and even texted friends saying “Spammed this [gif] at [Eichenwald] let’s see if 
he dies” (Kang, 2017). 

Upon seeing the gif, Eichenwald had an 8-minute seizure that caused him 
to lose control of his bodily functions and left him incapacitated for several 
days (Kang, 2017). Eichenwald’s wife subsequently contacted police and the 
FBI to investigate the sender. The FBI’s investigation subsequently led them to 
identify Rivello, despite his use of a disposable cell phone and twitter account 
with no identifying information. Rivello was charged with cyberstalking with 
the intent to kill or cause bodily harm, which is a rare set of charges to pursue 
with a cybercrime case. A grand jury in Texas hearing the case supported the 
notion that the GIF constituted a deadly weapon in the course of the assault 
because it was clearly designed to affect Eichenwald’s physical condition. A 
federal judge later ruled that the light waves emitted from the GIF image 
could be considered physical contact as the light was directed at Eichenwald 
and caused his physical injury. Rivello was also initially charged with com- 
mitting a federal hate crime on the basis that he decided to attack Eichenwald 
on the basis of his religious identity. Federal charges were later dropped, and 
the state trial was postponed indefinitely because of the COVID-19 pan- 
demic. Rivello eventually had to pay Eichenwald $100,000 in civil damages 
(Charles, 2020). 

The use of an online image to cause real world harm is relatively rare, mak- 
ing this entire case relatively unprecedented. This case demonstrates the diffi- 
culty that is present in forecasting the future of cybercrime. There are a range of 
factors that will influence any trends in cybercrime, including the popularity of 
a given technology, the recognition among offenders of how to use these 
devices, and the ability for law enforcement to investigate these offenses. This 
chapter will attempt to consider all of these issues in order to provide some 
context for the future of cybercrime from the standpoint of offenses, research- 
ers, and policing. We will also discuss the challenges inherent in legislating 


against cybercrimes in an increasingly borderless world. 


For more information on one of the first instances of individuals 
using the Internet as a means to cause physical harm to others in 
the real world, go online to: http://www.news.com.au/technology/ 


anonymous-attack-targets-epilepsy-sufferers/news-story/702ed0bbf0b49 
dd63aaee33£295ba1d4 
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Considering the Future of Cybercrime 


Since multiple forms of cybercrime have been observed for more than 
30 years, it is unlikely that they will ever cease due to legislative or policing 
efforts. Instead, there is greater value in considering the ways that the plat- 
forms used by offenders will change in the near future. As our technology use 
patterns change, so too will the practices of cybercriminals to better exploit 
vulnerable populations. 

One key change has been in the use of so-called trusted platforms as a 
means for hackers to gain access to, and compromise, targets. Specifically, they 
gain access to a seemingly secure or trustworthy source for software or critical 
system updates, and then compromise that service. In turn, hackers can then use 
that pathway to gain access to sensitive networks and spread malware, steal files, 
and more (see Box 17.1). This type of attack was observed in the spread of the 
NotPetya malware in 2018 (see Chapter 10), which spread through attackers 
infecting a key piece of tax software used by companies in Ukraine. 

The benefit of compromising a trusted service lies in the fact that the hack- 


ers’ true targets may not question the security of that service. Instead, they will 


Box 17.1 Understanding Why Hackers Target 
Trusted Services 


Supply Chain Attacks Show Why You Should Be Wary of 
Third-Party Providers 


https://www.csoonline.com/article/3191947/supply-chain-attacks- 
show-why-you-should-be-wary-of-third-party-providers. html 


The risks associated with a supply chain attack have never been higher, 
due to new types of attacks, growing public awareness of the threats, 
and increased oversight from regulators. 


This article highlights the clear value for hackers in targeting the so-called 
software supply chain, constituting the various vendors that service com- 
panies’ financial, processing, and other needs around the world. When 
an attacker can affect those service providers, they are then able to affect 
multiple targets simultaneously. This article also explains how companies 


can improve their response to benefit the broader cybersecurity landscape. 
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largely assume that it is doing its due diligence to remain secure and remain 
connected to its infrastructure for updates and services. This sort of thinking 
was likely why hackers compromised a US IT company called Solar Winds in 
early 2020 and used its platform as a backdoor into multiple sensitive govern- 
ment agencies (Jibilian & Canales, 2021). Evidence suggests that the attackers, 
most likely operating with nation-state backing, compromised SolarWinds’ 
software and added malware to one of its system updates that was thought to 
have affected up to 18,000 of their customers (Jibilian & Canales, 2021). Once 
installed, that malware provided attackers with access to those companies, 
including various government agencies and major corporations. The attackers 
were thought to have had access to these targets for months, and it is still not 
clear how deep the attackers may have been able to penetrate into sensitive 
systems and access data held across both public and private entities (Jibilian & 
Canales, 2021). 


For more on a timeline of the SolarWinds hack, go online to: 
https://www.csoonline.com/article/3613571/the-solarwinds-hack- 
timeline-who-knew-what-and-when.html 


Similarly, the rise of various creator-driven subscription sites like OnlyFans, 
AVN Stars, Just for Fans (J/FF), and Unlockd may be transformative for the 
production of online pornography. As noted in Chapter 7, individuals can ease 
ily set up profiles on these sites to receive payment for the production of adult 
lewd and more serious pornographic content (see Box 17.2 for detail). They 
can produce content on a rotating basis depending on subscription models and 
advertise their profiles through various social media platforms like Instagram, 
Snapchat, and Twitter. 

Such practices are largely legal, though they create opportunities for other 
forms of cybercrime, such as intellectual property theft through the distribution 
of created content without their authorization (Cole & Cox, 2020). In addition, 
some creators may attempt to use these sites to solicit sex for money, which may 
violate their terms of service. In addition, it is possible that individuals under the 
age of 18 create accounts on these sites as a means to make money (Tenbarge, 
2020). Such activities would, however, constitute the production of child por- 
nography which is highly illegal and heavily policed. As a consequence, sites 


like Instagram and TikTok have begun to delete user posts or content that 
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Box 17.2 Understanding the Role of OnlyFans in 
Sex Work 


Sex Workers Pivoted to OnlyFans, But There Are a Lot of 
Amateurs There Too 


https://www.marketplace.org/shows/marketplace-tech/sex-workers- 


pivoted-onlyfans-there-are-lot-amateurs-there-too/ 


In theory, anyone can use OnlyFans. But it’s home to a lot of adult 
content, and sex workers have found themselves learning how to be 
creators and battling for attention among all kinds of other would-be 


influencers. 


This article highlights the challenges for individuals seeking to use Only- 
Fans as a platform to earn a living, whether through the production of 
legitimate adult content or other activities. The author emphasizes the 
unique dynamics that make it difficult for individual content creators to 
gain followers and how little individuals may actually make as a result. 


potentially involve this content, such as nude or sexually explicit content (Moss, 
2021). Though proactive policing efforts on the part of social media sites helps 
to minimize harm to the public, they may not completely eliminate the use of 
their platforms for illicit sex work. 

The COVID-19 pandemic has also created opportunities for cybercriminals 
to exploit victims through various scams that will likely continue to be relevant 
over the next decade. The persistence of the virus and need for testing and vac- 
cinations around the world provide scammers with immediate opportunities to 
draw in people of all ages. For instance, there is evidence that vendors on both 
Open and Dark Web sites are selling fraudulent vaccination cards to the public 
for individuals who want to move through the public with minimal restrictions 
while avoiding the need to receive the vaccine themselves (Cerullo, 2021). 
Some vendors are also selling vaccines by the does, though it is not clear if the 
product is the legitimate medical product, properly stored and produced, or an 
adulterated dose (Tidy, 2021). 

Hackers have also used the opportunity created by the large number of 
people working from home to target vulnerable systems. For instance, a hacker 
group called Evil Corp. monitored Virtual Private Network (VPN) login sites 
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used by employees at various companies to then infect those systems and gain 
access to corporate networks (BBC, 2020a). Fraudsters have also used oppor- 
tunities afforded by the pandemic to steal funds from people through a number 
of different schemes (Smith, 2021). For instance, some cybercriminals have set 
up phishing schemes related to COVID-19 testing programs, sending text mes- 
saging indicating that the recipient must take an online COVID-19 test. Should 
the person click through the link the scammer provides, they are then asked to 
enter in sensitive personal information, including their US social security num- 
ber, credit card or banking information, and other information (Smith, 2021). 
The practices of cybercriminals will likely continue to evolve in tandem with 
the pandemic and adjust to the ebb and flow of infections and changes in 


human behavior. 


For more on COVID-19 scams, go online to: https://www.ftc.gov/ 


coronavirus/scams-consumer-advice 


How Technicways Will Shift with New Technologies 


As evident throughout this book, human beings readily adapt their social habits 
and methods of engaging with the world to fit with available technologies. This 
process of behavioral changes based on technological changes is referred to as 
technicways and can lead to large-scale institutional changes based on evolu- 
tions in behavior (see Chapter 1; Odum, 1937). For instance, individuals now 
use email and electronic communications to connect with others rather than 
traditional hand-delivered mail through a postal service. How technicways will 
continue to lead to behavioral change is not immediately apparent, though it 
will most likely stem from the success or failure of several new technologies that 
are becoming available to consumers over the next few years. 

There is particular concern over the security of Internet-connected devices 
that can be controlled through applications on smartphones or web browsers, 
creating what some refer to as the Internet of Things (IoT), or all non- 
computing devices connected together via the Internet (Curtis, 2013). For 
instance, smart watches, Internet-enabled security cameras, smart doorbells and 
security systems, web-based baby monitors, thermostats, televisions, and even 
vehicle components are all IoT devices (Braddock, 2020). Even more con- 


cerning is the fact that many IoT devices like televisions, web cameras, and 


appliances do not have much by way of security features to protect them from 
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compromise (Marotti, 2019). Instead, they are largely only as secure as the user- 
name and passwords used to manage your account and access to the applications. 

The use of IoT devices also creates security risks that cut across physical and 
virtual environments. For instance, running an app on your phone that allows 
you to access and control home security settings in effect turns the device into 
a set of keys (Curtis, 2013). If you were to lose your phone, an individual who 
picks it up could be able to remotely control the security of your home. Simi- 
larly, controlling the heating and cooling system of your home through a wire- 
less device means that hackers could potentially access these systems remotely 
(Braddock, 2020). As a result, there have been several reports of individuals 
whose smart thermostats and security systems were remotely accessed by hack- 


ers and used to speak to the residents or threaten them (Marotti, 2019). 


For more on the difficulties of securing a variety of IoT devices, 
go online to: https://www.intellectsoft.net/blog/biggest-iot-security- 
issues/## 


The rise of the COVID-19 pandemic has also introduced opportunities for 
hackers to gain access to sensitive health data via tracking applications installed 
on mobile devices. Several states across the United States, and nations around 
the world, developed smartphone applications that enable improved contact 
tracing based on the physical locations individuals visit in real time. Specifi- 
cally, these applications allow users to be tracked to determine their exposure 
to anyone who may have been infected and help reduce the transmission of the 
virus overall (Starks, 2020). 

The speed with which these applications were produced meant that they 
were also not fully vetted for security flaws, some of which could be extremely 
serious (see Box 17.3 for an example). For instance, the national contact tracing 
application for Qatar contained a vulnerability that would have allowed hackers 
to obtain the national identification number and health status of users (Starks, 
2020). The state of North Dakota also implemented an application which was 
sharing users’ location data to the digital marketing company Foursquare with- 
out their knowledge (Jumbo Privacy, 2020). Though the risks presented by 
such apps may be reduced over time with improvements to data protection and 
privacy plans, the potential for data to be leaked should be concerning to all. 

Even more concerning is the fact that many IoT devices like televisions, web 


cameras, and appliances do not have much by way of security features to protect 
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Box 17.3. The Difficulties of Using Contact 
Tracing Apps 


Fearing Coronavirus, a Michigan College Is Tracking Its 
Students with a Flawed App 


https://techcrunch.com/2020/08/19/coronavirus-albion-security- 


flaws-app/ 


Worse, the app had at least two security vulnerabilities only discovered 
after the app was rolled out. One of the vulnerabilities allowed access 
to the app’s back-end servers. The other allowed us to infer a student’s 
COVID-19 test results. 


This article explores the security risks evident in an application that Albion 
University in Michigan required students to use in the fall 2020 semester. 
Though the use of contact tracing is intended to improve the health and 
safety of all, the security and privacy threats outlined in the article must 
also be balanced so as to ensure user information is not compromised. 


them from compromise, or to notify the user of an attack. This is particularly 
concerning when considering the increased push by automotive manufacturers 
to produce Internet-connected and autonomous or self-driving vehicles (Dim- 
itrakopoulos, 2011; Lu et al., 2014). These devices, often referred to as CAVs 
(Connected and Autonomous Vehicles), utilize the existing infrastructure 
of modern car manufacturing but are enhanced by computer controls, electron- 
ics, wireless technologies, and integrated infotainment systems that connect to 
mobile devices (Gerla et al., 2014). As a result, there are now some vehicles that 
can be self-driving based on real-time information sharing and connectivity to 
various devices, vehicles, road markers, GPS, and other parts of the transporta- 


tion infrastructure (Gerla et al., 2014). 


For more information on vehicle attacks, go online to: https:// 


upstream.auto/research/automotive-cybersecurity/ 


The emergence of CAVs and the applications and systems that support them 


are all potential targets for hackers and car thieves generally (Greenberg, 2015, 
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Box 17.4 An Example of a Serious, but Controlled, 
Vehicle Hack 


Hackers Remotely Kill a Jeep on the Highway —- with Me in It 


https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/ 


Their code is an automaker’s nightmare: software that lets hackers 
sends commands through the Jeep’s entertainment system to its dash- 
board functions, steering, brakes, and transmission, all from a laptop 


that may be across the country. 


This article explains a vehicle hack identified by cybersecurity researchers, 
and its application in a real-world setting. The writer was driving the vehi- 
cle when the researchers remotely hacked the vehicle, and he describes in 
great detail how disorienting the experience was. This article provides an 
excellent overview of how vehicle hacks operate in practice. 


2016; 2017). To date, there have been a small number of security incidents 
directly targeting the Internet-enabled components of CAVs mostly under 
highly controlled circumstances by researchers (see Box 17.4 for detail). At the 
same time, the potential for serious harm cannot be ignored, as motor vehi- 
cle accidents can be fatal to drivers, passengers, and pedestrians. For instance, 
a woman crossing an intersection on a bike was killed when she was hit by 
a self-driving vehicle. The car was under testing by the ride-share company 
Uber, and contained a safety-driver, who was streaming a television show at 
the time of the collision (Cellan-Jones, 2020). Though such an incident appears 
to be an example of human error, it highlights that smart vehicle technology is 
not failsafe and can cause grave harm to the public (Cellan-Jones, 2020). Thus, 
we should give careful consideration to the impact that our rather immediate 
adoption of technologies can have on our lives before we take the equipment 
out of the box. 


Social Movements, Technology, and Social Change 


While technology will no doubt force subtle shifts in patterns of human behav- 
ior, it will also be at the forefront of rapid social changes in political and govern- 


ment structures. The Internet and computer-mediated communications (CMCs) 
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provide individuals with an outlet to express dissent with policies and practices 
of their own government or those of foreign nations (see Chapters 10 and 11; 
DiMaggio et al., 2001; Van Laer, 2010). These technologies also allow nation- 
states’ most vulnerable and critical systems to be attacked with greater secrecy 
and fewer resources than might otherwise be required offline (Brodscky & Rad- 
vanovsky, 2010). Now that attack techniques like NotPetya and Stuxnet have 
made cyberattacks against critical infrastructure a reality rather than a theoretical 
potential, we can expect this to become increasingly problematic. 

At the same time, the proliferation of the Internet may play a vital role in 
transforming the nature of violent extremist activity in the real world. Since 
the Internet and social media have revolutionized access to extremist groups 
and messaging, it possible for individuals to be exposed to radical messaging 
from anywhere at virtually any time. Acceptance of an ideology may no 
longer be dependent on intense or proximal real world social relationships, 
but rather on the extent to which messaging connects with the individual. 
Some may refer to this process as “self-radicalization,” in that the individ- 
ual comes to accept a radical ideology on the basis of exposure to extrem- 
ist content online without the need for actual physical social engagements 
with those in the movement. Even if a person makes tangential ties on the 
basis of interactions via social media, email, or a forum, this sort of contact 
constitutes a social interaction within the context of a larger extremist or 
terrorist subculture. 

The problem of self-radicalization can be observed around the world through 
acts of violence performed across the political spectrum, such as the mass shoot- 
ing performed by Omar Mateen who killed 49 people and wounded 53 others 
at the Pulse nightclub in Florida in June 12, 2016 (Wilber, 2016). Mateen had 
no immediate prior affiliation with any known terrorist group and appeared 
to have radicalized largely through online videos uploaded by radical groups, 
including beheadings of various people (Goldman, 2016; Wilber, 2016). 

In 2019, Brenton Tarrant killed 50 people and injured 47 in Christchurch, 
New Zealand. This attack targeted worshipers at two mosques and evidence 
from Tarrant’s online manifestos suggests he did this as revenge against Muslims 
for acts of jihadi violence (BBC, 2020b). In fact, he livestreamed the shooting 
on Facebook as a means to promote his beliefs, recruit others to engage in 
violence, and spread fear in the population. Substantial evidence suggests he 
was highly active online and posted frequently in far right websites and forums, 
though it is not clear if he radicalized in part from offline associations with 


radical groups (BBC, 2020b). Regardless, his online activities and lack of prior 
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violent behaviors highlight the potential role the Internet played in shaping this 
act of violence. 

These incidents are all reflective of ideologies and hate group activities 
that existed prior to the Internet. In the last few years, there have been 
a number of acts of violence that have occurred stemming from ideologi- 
cal movements that have grown purely online. As an example, a subculture 
referred to as the involuntary celibate, or incels, has developed in online 
forums and websites (O’Malley et al., 2020). The participants espouse a belief 
that they are unable to have sexual relationships because of the perceived 
unfair social structures that enable women to keep men from having sex. 
Individuals often become involved in this subculture as a result of feelings of 
inadequacy or difficulty connecting with others and seek out online commu- 
nities where they can discuss their frustrations with dating (Tolentino, 2018; 
Van Valkenburgh, 2018). 

The more time individuals spend with others increase their exposure to 
highly negative and misogynistic views of women that encourage violence 
against women over their control over sex as a resource (O’Malley et al., 2020; 
Tolentino, 2018). There have been a small number of acts of violence per- 
formed by members of the incel subculture, particularly Elliot Rodger who 
killed seven people in Santa Barbara, California in 2018 (BBC, 2018). Rodger 
was heavily engaged in incel forums and wrote a detailed manifesto emphasizing 
the need for violence against both men and women who effectively kept him 
from being able to have sexual relationships (BBC, 2018). 

Similarly, the rise of the online global conspiracy theory called QAnon has 
spurred violence over the last few years (Beckett, 2020). Adherents of this the- 
ory believe that the world is run by a cabal of devil-worshiping pedophiles who 
run both the Democratic party and various aspects of the media (Beckett, 2020). 
To maintain their power, they kidnap children, force them to engage in sex acts 
and then kill them. Former President Donald Trump was believed by QAnon 
to be working to root out these individuals during his presidency (Beckett, 
2020). All of this information was shared through cryptic messages posted anon- 
ymously in an underground forum by a supposedly high-ranking government 


insider with “Q” security clearance. 


For more on the rise of QAnon, go online to: https://www. 
nbcnews.com/tech/tech-news/how-three-conspiracy-theorists-took-q- 
sparked-qanon-n900531 
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Box 17.5 Understanding QAnon-Related Violence 


QAnon: A Timeline of Violence Linked to the 
Conspiracy Theory 


https://www.theguardian.com/us-news/2020/oct/15/qanon-violence- 


crimes-timeline 


“QAnon has not brought a single child abuser closer to justice,” View 
said. “But QAnon has radicalized people into committing crimes and 


taking dangerous or violent actions that put children at risk.” 


This article provides an excellent overview of the range of real-world 
harm stemming from belief in the QAnon conspiracy, including multi- 
ple kidnappings and threats against politicians in the United States and 
Canada. The fact that these events have all occurred since 2018 also high- 
lights why the FBI describes adherents to this conspiracy as a domestic 
terror threat in the United States. 


Despite the relatively outrageous premise of this movement on face, many 
people across the world believe aspects of the theory. The acceptance of the 
theory led some to engage in extreme acts to bring justice for children, and 
the world as a whole (see Box 17.5 for detail). For instance, on June 15, 2018, 
a man named Matthew Wright blocked a bridge near the Hoover Dam in 
Nevada (Ruelas, 2021). He was armed with multiple weapons and 900 rounds of 
ammunition and was driving a partially armored vehicle. The traffic jam caused 
by his blockade led police to the scene, and during this time, he demanded that 
then-President Trump begin to make the mass arrests promised by Q, stating 
“Uphold your oath. Please, Mr. President. We deserve the truth.” (Ruelas, 
2021) After an hours-long standoff with police, he eventually moved off the 
bridge. He peacefully surrendered and was sentenced in January 2021 to serve 
over seven years in prison for charges related to terrorism and unlawful flight 
(Ruelas, 2021). 

Despite the election of Joe Biden as president in 2020, QAnon still holds 
sway for some in the public. In fact, members of the QAnon movement were 
involved in the riot and attempted insurrection in the United States Capitol 
complex in Washington, DC on January 6, 2021 (Rubin et al., 2021). Par- 


ticipants in that riot stormed Congress and attempted to stop the counting of 
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electoral votes that would certify Biden as president. The very real violence of 
that day, and its intersection with QAnon (Rubin et al., 2021), highlights the 
need for future study to understand the behavioral, psychological, and social 
factors that may spur self-radicalization to online beliefs systems. Such research 
is essential, so that we may better understand how terror and extremism will 


evolve as a result of technology. 


Need for New Cyber Criminological Theories? 


The various chapters of this book also illustrated the various ways in which 
technology has influenced the commission of many forms of crime. In most 
instances, “newer” forms of crime were not born from technology. Instead, 
criminals were able to use the Internet and various devices to commit traditional 
forms of crime and deviance in more effective and efficient ways. Thus, the 
notion that cybercrime can be viewed as “old wine in a new bottle” (Grabosky, 
2001; Wall, 1998; see Chapter 13) has strong merit. In fact, the current body of 
criminological research on cybercrime as discussed in Chapter 13 demonstrates 
that traditional theories of offending apply well to cybercrimes that have sub- 
stantively similar counterparts in the physical world, such as theft, harassment, 
bullying, and pornography. In addition, traditional criminological theories have 
also provided considerable insight to somewhat more technical cybercrimes, 
such as unauthorized access to computer systems. 

For example, one of the strongest predictors of cybercrime offending is 
the same as that of traditional crime — associating with delinquent or crimi- 
nal peers (Holt & Bossler, 2014). Having friends who engage in various forms 
of cybercrime increases the likelihood that the individual will engage in these 
same offenses as well. Also, definitions (e.g., values, norms, and statements) 
that support involvement in cybercrimes are also associated with an individual’s 
willingness to engage in cybercrime, as is their acceptance of techniques of neu- 
tralization that justify offending behavior. In the social control literature, low 
self-control has been repeatedly found to be a significant predictor of almost all 
types of crime, including various forms of cybercrime (Holt & Bossler, 2014). 

Given the support that these theories have in the larger literature, one of the 
most critical steps researchers can take to move the discipline forward is to elab- 
orate on these existing theories. For instance, though it is clear that deviant peer 
relationships directly increase the risk of cybercrime offending, few have iden- 
tified whether virtual peer networks or those in the real world have a greater 
impact on activity (Higgins, 2005; Holt et al., 2010; Miller & Morris, 2016). It 
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may be that having friends in the real world who engage in cybercrime is more 
pertinent to the introduction of these activities. For example, Miller and Morris 
(2016) found that traditional peers had a larger impact on the commission of 
digital piracy than virtual peers within a college sample. A recent case study 
analysis performed by Leukfeldt and colleagues found that offline relationships 
were important in the formation of criminal networks to facilitate phishing and 
malware use (Leukfeldt et al., 2017). Those who had access to online social 
networks of cybercriminals via forums, however, were more likely to engage in 
technical offenses with greater ease and efficiency. Both of these studies point to 
the need for additional studies using data from unique sources to better under- 
stand the intersections of virtual and traditional offline relationships in order to 
disentangle the relationship between peers and cybercrime generally. 

There is also a need for research considering how certain demographic fac- 
tors affect the likelihood of engaging in or becoming a victim of cybercrime. 
In criminological research on real-world offenses, there is a significant relation- 
ship between living in poverty and the risk of offending and victimization (see 
Bradshaw et al., 2009; Bursik & Grasmick, 1993). While technology use has 
become more ubiquitous, even for those living in low-income communities, it 
is possible that the degree to which individuals use these devices on a daily basis 
may significantly affect the risk of cybercrime victimization. Individuals living 
in poverty generally may have little disposable income for Internet connectiv- 
ity or online shopping and may be less inclined to own their own computer. 
Instead, they may use computers in local libraries or other publicly accessible 
locations, which may reduce their risk of malware infections or computer hack- 
ing (Smith, 2013). The same individual may be more likely to use a mobile 
phone in order to access social media and email, which may increase their risk 
of cyberbullying and harassment (Smith, 2013). Limited research has found a 
link between youth living in disorganized communities and their experience 
with both cyberbullying victimization (see Holt et al., 2014) and engagement 
in hacking behaviors generally (Holt et al., 2020; Udris, 2016). Thus, further 
study is needed to understand the potential association between neighborhood 
conditions and the risk of both cybercrime offending and victimization. 

At the same time, this book has demonstrated that there is something unique 
about cybercrime offending that separates it from traditional crime. There are 
some instances of “new wine,” such as malware creation, that has little connec- 
tion to either the physical world or the second part of the analogy — the new 


bottle. In this case, examining the uniqueness of cybercrime might allow us to 


better understand these phenomena as well as provide brand new insights on 
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traditional forms of crime as well. For instance, studies examining the preva- 
lence of technically complex forms of cybercrime like malware creation are rel- 
atively rare among University student samples and generally find few behavioral 
correlates (e.g., Rogers et al., 2006; Skinner & Fream, 1997). More research 
is needed to identify not only the prevalence and activities of these technically 
sophisticated forms of malware writers and users but also what behavioral or 
attitudinal drives make these criminals distinct from other criminals and their 
acts that require less knowledge or skill on the part of the offender. 
Considering that criminological theory development has slowed over the last 
few decades, discussions of new cyber-specific criminological theories might be 
the catalyst that rejuvenates this field. For instance, the discussion of digital drift 
(Goldsmith & Brewer, 2015) presented in Chapter 13 demonstrates that there 
may be utility in revisiting older criminological frameworks that recognize the 
unique nature of criminality. Individuals need not view themselves as criminals 
or delinquents in order to engage in such activities online; opportunities to 
offend are omnipresent, and it is up to the person to avoid offending. Though 
this framework has potential value, no empirical research to-date has tested 
propositions of digital drift. Thus, more study is needed to understand its true 
capability. Taken as a whole, the future of cybercrime research is bright. The 
field will help elaborate complex associations that have been held in the tradi- 
tional literature for decades while also providing new insights into the commis- 


sion of crime — both traditional and cyber-related. 


Shifting Enforcement Strategies in the 
Age of the Internet 


As noted throughout this text, law enforcement agencies across the world are 
engaged in the investigation of cybercrime. The capabilities of these agencies 
to investigate cybercrimes range greatly based on both the specific agency in 
question as well as the type of cybercrime being investigated. Governments 
have provided substantive resources to fund policing agencies to pursue child 
exploitation crimes and child sexual abuse materials as individual units and in 
connection with one another (see Chapter 8). Few mechanisms, however, exist 
to help connect the investigative capabilities of local, state, federal, and interna- 
tional agencies in their investigations of serious hacking incidents, malware use, 
and data theft (see Chapter 2). 

In order to move beyond the limits posed by limited inter-agency coop- 


eration, some degree of innovation is required in order for police agencies to 
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disrupt and deter some forms of cybercrime. One strategy that is currently being 
tested in Europe involves the use of prevention campaigns tailored to young 
hackers at the start of their offending careers (Pritchard, 2020). For instance, the 
Dutch National Police High Tech Crime Team, in conjunction with prosecu- 
tors, the Ministry of Justice, as well as private industry implemented a program 
called Hack_Right in 2017. The focus is on transitioning youth who demon- 
strate criminal hacking propensities, particularly involvement in DDoS, phish- 
ing, and criminal hacks, to use their skills for cybersecurity and ethical hacking 
behaviors (Pritchard, 2020). 

A small number of youth have gone through the program, which is tai- 
lored to each person and focuses on helping them to understand the harm their 
activities may cause (Pritchard, 2020). The program also connects individuals 
to industry, so that they can identify the much broader range of legitimate 
applications for hacking techniques to better society and improve the state of 
security. Should such programs prove successful over time, they may provide 
an excellent direction for the future to deter some forms of serious cybercrime 
over the long term (see also Holt & Bossler, 2014). 

The rise of encrypted applications and services, noted throughout this 
work, also present challenges for law enforcement. Offenders utilize ser- 
vices like Tor to conceal their location and engage in a host of offenses, 
from drug sales to child sexual exploitation offenses. Over the last five years, 
encrypted chat applications for use on mobile devices have also become 
a tool to conceal one’s text-based communications with others. There are 
a range of these applications, including Signal, Telegram, and Viber, which 
encrypt the contents of a message, so that only the recipient and sender can 
read the message, and it cannot be accessed while in transit or when stored. 
The use of encrypted chat apps presents a substantial risk to police agen- 
cies and prosecutors, as an inability to access the content of messages may 
make it difficult to prove an individual’s involvement in a criminal act (see 
Box 17.6 for an example). 

A number of techniques have been applied by police agencies across the 
world to help defeat these forms of encryption, with some being more successful 
than others. For instance, the FBI in the United State previously used so-called 
network investigative techniques (NIT) to compromise the browsers of indi- 
viduals who visited various Dark Web sites in order to determine their real iden- 
tity and location via IP address information (Farivar, 2017). Though the use of 
NIT enabled the arrest of hundreds of offenders, particularly those engaged in 


child sexual exploitation crimes, several of those accused questioned the legality of 
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Box 17.6 The Risks Encrypted Apps Pose to the 
Criminal Justice System 


Why Full Evidence of the Plot to Kidnap Michigan Gov. 
Whitmer May Never Be Known 


https://www.usatoday.com/story/news/nation/2020/10/19/encrypted- 
apps-threema-wire-whitmer-kidnap-plot/3710295001/ 


“Another term for this type of code is ‘warrant-proof encryption,” 
Nanz said. This means the company providing the messaging service 
can’t turn over the communication records even when it is ordered by 


the court. 


This article explains the ways that encrypted text apps were used by mem- 
bers of a plot to kidnap the state of Michigan’s governor, Gretchen Whit- 
mer, in 2020. The group’s planning and communications were primarily 
through two encrypted applications, some of which could not be obtained 
through warrants due to the company locations and the nature of the mes- 
sages themselves. In fact, the messages entered by prosecutors as evidence 
for the case were provided by a confidential informant who had access to 
their content. The article also explains in some detail how such applica- 
tions differ from traditional messaging clients and what risks they present 


for future investigations and criminal prosecutions. 


these techniques in court (see Box 17.7 for detail). One individual, Jay Michaud, 
challenged the government’s case against him on the basis that his personal infor- 
mation was acquired illegally (Farivar, 2017). Michaud claimed that the NIT 
employed was actually a form of malicious software that may not have been legal 
for the FBI to use. The District Judge hearing the case ordered the government 
to hand over the details of the NIT, so that attorneys could understand how their 
clients’ information was obtained, and to what extent the tool may have acquired 
other data. The government felt they were unable to disclose the details of the 
NIT which are currently classified. As a result, they dropped all charges against 
Michaud in favor of retaining the possibility of prosecution at a time when the dis- 
closure of the NIT will not affect their ability to use the technique (Farivar, 2017). 

A small number of law enforcement actions have been taken against 


encrypted application service providers, though it is unclear how police were 
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Box 17.7. The Challenge of Law Enforcement 
Efforts to Hack Tor 


A Dark Web Tycoon Pleads Guilty. But How Was He Caught? 


https://www.technologyreview.com/2020/02/08/349016/a-dark-web- 
tycoon-pleads-guilty-but-how-was-he-caught/ 


“The overarching question is when are criminal defendants entitled 
to information about how law enforcement located them?” asks Mark 
Rumold, a staff attorney at the Electronic Frontier Foundation, an 
organization that promotes online civil liberties. 


This article considers the prosecution of Eric Marques, who ran a ser- 
vice called Freedom Hosting, which provided website hosting services for 
myriad illegal operations on the dark web, including several child sexual 
exploitation material distribution sites. Marques was eventually arrested in 
Ireland after his location was determined through an unclear application of 
hacking techniques by the FBI. The author calls to question whether his 
arrest is technically legal, or may have violated his rights, and how future 
investigations may need to be structured to avoid further risks. 


able to break their protections. For instance, on March 9, 2021, multiple 
European law enforcement agencies, including Europol, announced they had 
cracked a Canadian-based secured communications service called Sky ECC 
(Bracken, 2021). The company sells all manner of mobile devices with special- 
ized encryption software installed that allows users to communicate with one 
another inside of an essentially closed, secured network. Sky ECC is estimated 
to have 170,000 users globally, though a substantial number reside in Europe 
(Bracken, 2021). 

It is unclear how Sky ECC’s encryption protocols were defeated, but police 
in Belgium and the Netherlands made arrests as part of an investigation into the 
illicit use of these services for various crimes (Bracken, 2021). Days later, on 
March 12, 2021, the company CEO and a former product distributor were 
indicted by the US Department of Justice on charges associated with the Rack- 
eteer Influenced and Corrupt Organizations (RICO) Act (Goodwin, 2021). 


The charges were based on the company’s involvement in supporting the sale 


of narcotics through the use of their secured application services. Should such 
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coordinated efforts generate successful prosecutions, they may provide a novel 
framework to defeat the use of encryption among criminals in the future. 


For more on how the police monitored millions of encrypted mes- 
sages, go online to: https://www.vice.com/en/article/3aza95/how- 


police-took-over-encrohat-hacked 


Considering the Future of Forensics 


The globalization of technology has vastly changed the field of digital foren- 
sics. Traditional computer forensics focused only on dead-box forensics involv- 
ing cases of inappropriate use policies or unauthorized computer access. Today, 
almost every criminal investigation will involve at least one form of digital evi- 
dence (DE) due to the increased use of technology in our daily lives; in addition, 
criminal cases are likely to involve more than one form of DE (mobile phone, 
internet browsing history; see Chapter 14 for discussion). Approximately 51 per- 
cent of the world’s population (4 billion) was using the Internet by the end of 
2019 (International Telecommunication Union [ITU], 2020), which is up from 
41 percent in 2015. In addition, there is still a disparity in that Internet penetra- 
tion rates are only at 44 percent for developing countries compared to 87 percent 
for the developed countries (ITU, 2020). However, the number of individuals 
using the internet increases when we only consider youths (i.e., 15-24 years 
old) to 98 percent for developed countries and 66 percent for developing coun- 
tries. Finally, the ITU (2020) report indicates that for the first time in history 
mobile-cellular subscriptions declined from 2019 to 2020, possibly as a result of 
the COVID-19 pandemic and resulting issues with socioeconomic status. 

This continued increase in technology globalization guarantees that the 
criminal justice system (e.g., law enforcement, attorneys, and judges) will need 
to become more familiar with the basic, if not more advanced, forms of digital 
forensic investigation. In addition, the digital forensics investigator will need to 
sort through a variety of digital devices (e.g., IoT) as well as filter out irrelevant 
digital information from massive volumes of data (e.g., 18 TB hard drive). As 
a result, this will likely force changes in the ability of criminal justice personnel 
to become more adept at recognizing technological devices and their role in 
offending. In addition, this understanding of basic DE collection will have to 
take place at crime scenes themselves to ensure a successful prosecution (see 
Chapter 15 for discussion). 
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The expansion of technology also has implications for the forensic sciences 
generally. For example, The National Research Council (NRC, 2009) issued 
a report on the status of forensic science in the United States that recognized 
the field of digital and multimedia analysis as a new subfield within the larger 
discipline of forensic science (NRC, 2009, pp. 178-185). Although the NRC 
acknowledged that the digital forensics discipline “has undergone a rapid mat- 
uration process” (2009, p. 181), the report noted that several challenges still 
remain if digital forensics is to be a rigorous, forensic science discipline: (1) lack 
of an agreed-upon certification program or list of qualifications for digital foren- 
sic examiners; (2) clarifying whether the examination of DE is an investigative 
or a forensic activity, and (3) wide variability in, and a degree of uncertainty 
about, the education, experience, and training of digital forensics professionals 
(p. 181). To that end, there are currently a number of professional certifications 
available, both vendor neutral (e.g., GIAC Certified Forensic Analyst) and ven- 
dor specific (i.e., tool specific, such as EnCase® Forensic Training Series; Ryan 
& Ryan, 2014). Unfortunately, there is no standardized list of certifications or 
qualifications required in the digital forensics discipline in order to be consid- 
ered a digital forensics professional or expert. 

From this report, it is important to recognize some progress has been made 
in the field of digital forensics. Researchers are working toward the develop- 
ment of a unifying professional code of ethics in digital forensics (Losavio et al., 
2016). By developing a professional code of ethics in digital forensics, research- 
ers and practitioners hope to move the field of digital forensics to a unified 
profession (Seigfried-Spellar et al., 2017). Also in response to the NRC report, 
the Department of Justice and the National Institute of Standards and Technol- 
ogy (NIST) established the National Commission on Forensic Science (NIST, 
2013) to strengthen and enhance the forensic sciences. Under the Forensic Sci- 
ence Standards Board, the National Commission on Forensic Science adminis- 
tered the Organization of Scientific Area Committees (OSAC), which includes 
the field of digital forensics. The OSAC DE subcommittee is specifically made 
up of DE, facial identification, speaker recognition, and video/imaging technol- 
ogy and analysis. The OSAC-DE specifically focuses on the development of 
“the standards and guidelines related to information of probative value that is 
stored or transmitted in binary form” (NIST, 2014). 


For more information on the OSAC-DE, go online to: https:// 
www.nist.gov/osac/digital-evidence-subcommittee 
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Overall, the future of digital forensics relies on the discipline’s ability to 
conquer each of the concerns highlighted by the NRC. The discipline needs to 
establish a standard of accreditation for digital forensic laboratories as well as a 
standard for training and continued education for digital forensic examiners. In 
addition, the digital forensics community needs to create a standardized protocol 
for the process of conducting a digital forensics investigation that focuses on the 
forensic scientific method (Casey, 2011). By following a scientific method, the 
examiner is less likely to overlook potential DE or report erroneous findings. 
According to Casey (2011), a protocol that focuses on the scientific method will 
encourage digital forensics examiners to follow procedures that are “generally 
accepted, reliable, and repeatable” as well as more likely to lead to “logical, 


well-documented conclusions of high integrity” (p. 224). 


The Challenge to Policy-Makers Globally 


The trends identified in this chapter all demonstrate that technological innova- 
tions create myriad opportunities for crime and deviance. One of the most com- 
mon ways that policy-makers, particularly in government and private industry, 
discuss how we may combat these problems is through the cultivation of better 
cybersecurity principles that can be employed by the common person every 
day. Every time an individual uses their antivirus software or carefully reviews 
an email message before responding, they are taking basic steps to secure their 
computer or device from compromise. As digital natives age, their use of and 
appreciation for technology may provide them with an even greater degree of 
computer security awareness than that of the digital immigrants of older gener- 
ations. This may create a slight improvement in the general security posture of 
society as a whole. 

Any benefits gained from improvements in security awareness, however, 
may be diminished by vulnerabilities and flaws in the computer systems and 
servers managed by ISPs and industry. As noted in Chapter 11, when a new 
vulnerability in a product is identified and weaponized by hackers, it directly 
threatens the security of all computer users through no fault of their own. The 
problem is exacerbated when nation-states simply hoard previously unidentified 
vulnerabilities on the basis that they may be later used to compromise targets. 
Such actions put the whole world at risk, especially if it is a common product or 
one that is present in common critical infrastructure systems. 

Thus, there is a need to consider what best practices can be developed for 


vulnerability identification and disclosure in order to minimize the potential for 
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collateral damage to the public. This is particularly true for vulnerabilities that 
may exist in trusted programs, as with the SolarWinds hack explained above. 
Many nations would likely be unwilling to find common ground on vulnerabil- 
ity disclosures that could be used for offensive cyberattacks due to the perceived 
advantages they provide. 

Until nations can agree on a strategy, it is likely that private companies will 
have to engage in proactive policing efforts to help minimize the risk of harm 
to their clients. For instance, Google operates a security team called Project 
Zero that actively seeks out and publicly discloses zero-day vulnerabilities when 
discovered (Page, 2021). The team largely operates to improve the state of 
cybersecurity and block malicious hackers from affecting vulnerable targets. In 
2021, the Team disclosed that they also actively analyzed what was revealed to 
be a Western nation-state sponsored hacker team that engaged in two separate 
attack campaigns throughout 2020 (Page, 2021). The actors utilized more than 
11 separate zero-day vulnerabilities and exploits, which Project Zero identified 
and publicly reported, enabling security patches to be produced that closed 
those potential avenues for attack (Page, 2021). It is likely that such activities 
may continue in the future until a more common set of protocols can be estab- 
lished across nations. 

There is also a need to improve the state of legislation so as to be both broad 
and flexible enough to be applied to a range of technological misuse while at the 
same time having substantive legal sanctions to deter individual offenders. Such 
a task is extremely difficult as there is no way to know how a new device or 
application will be adopted by offenders for nefarious purposes. For example, 
FOSTA and SESTA have impacted the volume of Internet-enabled prostitution 
and human trafficking occurring, though there is emergent evidence to suggest 
that arrests for both prostitution and sex trafficking in offline spaces have 


increased since the laws were enacted (see Chapter 7). 


For more on the impact of FOSTA-SESTA, go online to: https:// 
whyy.org/segments/fosta-sesta-was-supp osed-to-thwart-sex-trafiicking- 


instead-its-sparked-a-movement/ 


At the same time, legislative overreach can have negative outcomes as 
well. This is exemplified in the on-going legal challenges to the FBI’s strat- 


egies to investigate Tor as outlined above. The use of exploitive malware by 
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law enforcement to capture data that could be used against any citizen may 
be excessive and violate individual rights to privacy. Thus, legislators and law 
enforcement agencies alike must walk a fine line when developing new meth- 
ods to prosecute or pursue cybercriminals. 

Ata global level, there is also a need for improved international mechanisms 
to help combat serious financial and hacking-related cybercrimes. As noted in 
Chapter 8, there are a number of working groups that exist to coordinate transn 
national responses to child exploitation crimes. There are few similar entities 
to pursue hacking and fraud-related crimes, making it difficult to effectively 
sanction and deter offenders. In fact, the lack of resources may account for the 
continuing number of mass data breaches that also foster the global market for 
stolen data (Peretti, 2009). 

One strategy could be to better effect controls over the range of cryptocur- 
rencies that now exist, most notably Bitcoin. The growth of cryptocurrencies 
over the last ten years has been instrumental in transforming the ways in which 
cybercriminals engage in financial transactions (Matthews, 2021). Some nations 
have taken steps to regulate their use, with EU member states placing some 
degree of control over their use, exchange process, and rate of taxation. Oth- 
ers have considered their use illegal, such as India, while others have heavily 
restricted its use (Partz, 2020). Others, including the United States, have taken 
minimal efforts to identify the regulatory boundaries that should influence its 
use as a form of currency relative to that of traditional currencies (Matthews, 
2021). Though the lack of standards makes it difficult to engage in consistent 
enforcement, there is also an opportunity to find ways to promote financial reg- 
ulations and working groups similar to what is observed with wire transfers and 
criminal investigations. Such a development could be invaluable to affect certain 
forms of cybercrime, particularly illicit market operations. 


Summary 


Computers and the Internet have radically changed how we communicate, 
engage in business, and interact with the larger world in a very short amount of 
time. The benefits of these technologies are substantial, though they also create 
a range of threats to personal safety and national security. As a result, we have 
to continuously identify these threats and the ways that technologies are being 
abused by offenders to facilitate criminal behaviors. Only then can we improve 
our understanding of the influence of technology on the nature of crime and 


deviance in the 21st century and better protect ourselves. 
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Key Terms 


Connected and Autonomous Vehicles (CAVs) 
Contact tracing 

Encrypted chat applications 
Hack_Right 

Internet of Things (loT) 

Involuntary Celibate (Incel) 

Network investigative technique (NIT) 
Project Zero 

QAnon 

Self-radicalization 

Sky ECC 

SolarWinds 

Trusted platforms 


Discussion Questions 


1. Can you think of any distinct technologies (whether hardware or software) 
that you use that could be exploited by hackers? In what way could they 
be harmed? What information could be gathered from their compromise? 

2. How could innovations like unmanned aerial vehicles (UAVs) or drones 
be used by cybercriminals to effectively collect information or offend? 
How could law enforcement agencies around the world use these devices 
to disrupt cybercriminals generally? 

3. Based on everything you read throughout this book, what do you think 
the future of cybercrime offending and offenders will look like? 

4, What other solutions can you think of to better prepare law enforcement 


to investigate cybercrimes? How can we improve the overall response? 
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Glossary 


.xxx domain 


1 terabyte (1 TB) 
419 scams 


Absence of a capable guardian 


Access key 


Abstract organization 


Accuracy 
Action Fraud 


Active files 


A web domain address that provides a 
voluntary option for individuals to host 
pornographic content online. 

One trillion bytes. 

Another term for advance fee email 
schemes. The name references the Nigerian 
legal statutes that are used to prosecute 
fraud. 

Variable in routine activity theory that 
references the lack of physical, personal, or 
social protection that can minimize harm to 
a target. 

The password used by encryption programs 
that unlocks a file using the same algorithm 
that encrypted the information in order to 
decrypt it. 

One of the three characteristics of a 
nation-state that refers to the distinct and 
independent persona of a nation-state. 

The integrity of the data. 

The UK national agency that handles 
complaints of Internet-based fraud and 
theft. 

Existing files that are currently available on 
a hard drive, meaning they have not been 


deleted. 
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Ad hoc phase 


Adam Walsh Child Protection 
and Safety Act 


Admissibility 


Advance fee email schemes 


Advanced Persistent Threat 
(APT) 


Affidavit 


Age Verification Services (AVS) 


Al Qaeda in the Arabian 
Peninsula (AQAP) 

Allow States and Victims to 
Fight Online Sex Trafficking 
Act (FOSTA) 


Alternative Right, Alt-right 


A term used to describe the pre-forensics 
age of computer forensic technologies. 

US law that, among other protections, 
prohibited the defense from obtaining 
copies of child pornography evidence, in 
order to limit distribution of said illicit 
materials, so long as the defense has an 
ample opportunity to examine the evidence 
at a government facility. 

The process of determining whether 
evidence will assist the fact finders (e.g., 
judge) through their decision-making 
process. 

A scheme where a spam mail sender 
requests a small amount of money up front 
from the recipient in order to share a larger 
sum of money later. 

A reference to a nation-state sponsored 
hacker/attacker group that utilizes 
multistep attack methods to gain access to 
high-value targets. 

A written, or occasionally verbal, statement 
to which the law enforcement officer has 
sworn an oath to the magistrate that the 
information is true and factual. 

A web-based service that, upon entry into a 
website, verifies the age of an individual via 
either a valid credit card or a driver’s license. 
A jihadi terrorist network operating out of 
Gulf states to cause ideological harm. 

One of a pair of US laws passed in 2018 
that make it illegal to knowingly facilitate, 
assist, or support sex trafficking in online 
environments. 

A term referencing extremist groups on 

the far right of the US political spectrum, 
inclusive of neo-Nazi, white nationalist, and 


other movements operating on- and offline. 


Amendment 


Andrew “weev” Auernheimer 


Anonymous 


Anti-Malware Testing Standards 


Organization (AMTSO) 


Anti-Phishing Working Group 
(APWG) 


App 


Apparent authority principle 


Appeal to higher loyalties 


An addition or alteration to the US 
Constitution. 

A well-known hacker who radicalized 
while incarcerated for violations of the 

US Computer Fraud and Abuse Act who 
engages in hacks on behalf of extremist 
far-right beliefs and acts as technological 
support for various far-right websites. 

A group that stemmed from the image 
board 4chan that engages in a number of 
hacks and attacks against targets around the 
world. 

An organization that exists to provide a 
forum to improve the process of malware 
identification and product testing across the 
global security industry. 

A not-for-profit global consortium of 
researchers, computer security professionals, 
financial industry members, and law 
enforcement designed to document the 
scope of phishing attacks and provide 
policy recommendations to government 
and industry groups worldwide. 

A software application typically 
downloaded by the user that performs a 
certain function. 

US legal standard that states that if police 
obtain consent to search premises from 
someone who they reasonably believe 
shares a common authority over the 
premises then it does not violate Fourth 
Amendment rights even if the individual 
did not have the authority to give consent. 
One of the five basic techniques Sykes and 
Matza developed that allows individuals to 
break from conformity, operating on the 
basis that an offense is for the greater good 
of the group. 
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Ardit Ferizi 


Argot 


Arrest warrant 


Attribution 


Australian Federation Against 
Copyright Theft (AFACT) 
Authentic 


Authenticity 


Back Orifice 2000 (BO2K) 


Berne Convention for the 
Protection of Literary and 
Artistic Works 

Best evidence rule 
Bestiality 


Better Online Ticket Sales 
(BOTS) Act 


Beyond a reasonable doubt 


A hacker born in Kosovo who was arrested 
and extradited to the United States for 
engaging in a data breach to gain sensitive 
information on behalf of ISIS. Currently 
serving time in US federal prison for violations 
of the Computer Fraud and Abuse Act. 
Special language utilized by subcultures 

to refer to individuals in and out of the 
group and demonstrate connection to the 
subculture. 

A signed document by a judge or magistrate 
authorizing law enforcement to take the 
person into custody. 

The identification and linking of a hacking 
incident or some other offense to an 
individual or group. 

A nongovernmental federation that targets 
pirates in Australia and Oceania generally. 
A true and unaltered copy of the original 
data source. 

The ability to prove that the evidence is 
genuine in a court of law. 

A piece of malware written by members 

of Cult of the Dead Cow which infected 
Microsoft BackOffice server programs. 

A legal framework created in 1986 

to provide a common framework for 
intellectual property rights. 

See original writing rule. 

Experiencing sexual arousal from sex with 
animals. 

US legislation designed to minimize the use 
of automated software to purchase tickets 
to sporting events and other activities for 
the purposes of resale to the general public. 
Term used to refer to the standard of proof 
needed in US criminal courts to show that 


a person on trial committed a crime. 


BigDoggie 


Bill C-13 


Bill of Rights 


Bitcoin 


Bit Torrent 


Black-hat hacker 


Blended threat 


Blind 


Blockchain 


Boogaloo Bois 


Boogaloo Movement 


A website that enables individuals to access 
and post reviews of escort services. 
Proposed legislation that would make 

it a crime to share an intimate image 
without the consent of the subject of 
the image, punishable by up to five years 
in prison. 

The first ten amendments of the US 
Constitution. 

A relatively anonymous form of electronic 
currency used by a range of actors to pay 
for goods. 

Specialized software used to engage in 
distributed file sharing over the Internet, 
which has become particularly popular 
among those engaging in digital piracy. 
Uses techniques and vulnerabilities in 
order to gain access to information or harm 
systems. 

Any form of malware that combines 
aspects of viruses, worms, and trojan horses 
together in a single tool. 

Term used to refer to the idea that an 
independent forensic examiner should be 
completely unaware of the conclusions 
reached by the initial examiner. 

A digital ledger used to maintain records 
associated with various activities, 
particularly cryptocurrencies, through the 
use of cryptography to prove something 
occurred on a specific date and time. 

A far-right antigovernment extremist 
group operating within the United States 
with an interest in inciting a second 

Civil War. 

The broad association of far-right extremist 
actors and groups interested in sparking a 
second Civil War in the United States. 
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Boot sector 


Boot sector virus 


Botnet 


Bridges 
Bulletin board system (BBS) 


Bureau of Customs and Border 
Patrol (CBP) 


Business Email Compromise 
(BEC) 


Cam whores 


Cambridge Analytica 


A region of any sort of storage media or the 
hard disk of a computer that can hold code 
and be loaded into the computer’s memory 
by its firmware. 

A form of malware that operates by 
attempting to install code into the boot 
sector of either a form of storage media like 
a flash drive or the hard disk of the targeted 
computer. 

A form of malware that combines aspects 
of trojan horse programs and viruses 

and allows an infected computer to 
receive commands and be controlled 

by another user through Internet Relay 
Chat channels or the web via HTTP 
protocols. 

A hardware write blocker. 

A form of asynchronous computer- 
mediated communication used heavily 
during the 1980s. 

The US federal agency responsible for 
policing and managing the borders of the 
country and the movement of products in 
and out of the nation. 

A form of email-based fraud where the actor 
misrepresents themselves as a trusted party 
in order to obtain a massive sum of money 
through a one-time transfer of funds. 
Performers who engage in text-based 
conversations with individuals viewing 
them on streaming-video feeds and take 
requests for specific behaviors or sexual 
acts. 

A UK-based political consulting company 
that was involved in a data acquisition and 
misuse scandal involving Facebook and 
various political operatives in the United 
Kingdom and United States. 


Canadian Anti-Fraud Centre 
(CAFC) 


Canadian National Child 
Exploitation Coordination 
Center (NCECC) 


Capture the Flag 


Carding 


Carding markets 


Carnegie Mellon Report 


Carrier 
Catfishing 
Celerity 


Centre for the Protection of 
National Infrastructure (CPNI) 


A joint effort between the RCMP, Ontario 
Provincial Police, and the Competition 
Bureau that collects reports on various 
forms of fraud that take place online and 
offline. 

The Canadian agency that serves as a focal 
point of contact for online exploitation 
cases that cross jurisdictional boundaries 
within Canada or internationally. 
Competitions where hackers compete 
against each other individually or in 

teams to hack one another, while at the 
same time defending their resources from 
others. 

When an individual sells personally 
identifiable information acquired in some 
fashion via markets operating online, most 
often involving the use and abuse of credit 
and debit card details. 

Markets that enable individuals to 
efficiently engage in credit card fraud and 
identity theft with minimal effort and 
limited technical knowledge or skill. 

A report published by a student at Carnegie 
Mellon University which suggested that 
over 80 percent of images on the Internet 
involved sexually explicit content. The 
findings were subsequently debunked. 

The transport medium for digital 
information. 

The creation and development of relationships 
through social media predicated on false 
information. 

Swiftness, in the context of deterrence theory. 
The Center designed to protect UK critical 
infrastructure owners from emerging threats 
and coordinate responses in the event of a 
physical or cyber-based compromise. 
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Certainty 


Chain of custody 


Chaos Communication Congress 


(CCC) 


Child Exploitation and Online 
Protection (CEOP) Command 


Child Exploitation Task Forces 
(CETF) 


Child love 


Child pornography 


Child Pornography Protection 
Act of 1996 


Child Protections Operations 
(CPO) Teams 


Child sexual abuse imagery 
(CSAI) 


Refers to how likely it is that an individual 
will be caught and punished for an offense 
within deterrence theory. 

The chronological documentation of 
evidence as it is processed during an 
investigation. 

One of the oldest and largest computer 
hacking and security conferences held in 
Europe. 

The FBI-operated agency that takes reports 
of exploitation, abuse, and missing youth 
and will directly investigate threats and 
coordinate responses, depending on the 
scope of harm across multiple areas. 

This FBlI-operated task force provides a 
reactive and proactive response to online 
sexual exploitation cases and sex tourism 
practices. 

A term used by pedophiles to describe their 
sexual attraction to youth. 

The real or simulated depiction of sexual or 
sexualized physical abuse of children under 
16 years of age, or who appear to be less than 
16, that would offend a reasonable adult. 
This US Act extended existing laws 
regarding child pornography by establishing 
a new definition for this term, amending the 
criminal code under Title 18 to define child 
porn as “‘any visual depiction, including 

any photograph, film, video, picture, or 
computer or computer-generated image or 
picture of sexually explicit conduct.” 

The Australian Federal Police team that 
investigates and coordinates the response to 
child exploitation cases both domestically 
and internationally. 

A phrase used to describe photos involving 


the real or virtual sexual abuse of children. 


Child sexual abuse material 
(CSAM) 


Child sexual exploitation 
material (CSEM) 


Child Victim Identification 
Program (CVIP) 

Cipher 

Ciphertext 

Civil offense 


Closed market 


Closed-source software 


Cloud storage 
Cluster 


Code-Red Worm 


Collection/acquisition phase 


A phrase used to describe digital or physical 
media involving the real or virtual sexual 
abuse of children. 

A phrase used to describe digital or physical 
media featuring the real or virtual sexual 
abuse of children. 

AUS FBI-led program that examines 
images of child pornography in order to 
determine the identity and location of child 
victims. 

A mathematical formula (algorithm) 

that uses a set of rules for transforming a 
message. 

An illegible message. 

A noncriminal offense, usually a dispute 
between private parties. 

Illicit markets that occur behind closed 
doors or in controlled environments that 
are generally hidden from the public and 
require some degree of knowledge in order 
to gain access. 

Software where the source code is not 
made available to the general public; only 
the object code, which restricts the ability 
of users to modify and share the software 
due to copyright infringement, is publicly 
shared. 

A virtual warehouse where people can 
store data on a network. 

Two or more consecutive sectors on a hard 
drive. 

A form of malware activated online on 
July 13, 2001 that infected any web 
server using Microsoft’s IIS web server 
software. 

Phase of the digital evidence collection 
process concerned with the retrieval and 


preservation of digital evidence. 
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Collision 


Commodity 


Communications and 
Multimedia Act 1998 


Communications Security 
Establishment (CSE) 
Compelled 


Computer-mediated 
communication (CMC) 


Computer as a target 
Computer as a tool 


Computer as incidental 


Computer contaminants 


Computer crime 


Computer Crime and 


Intellectual Property Section 


(CCIPS) 


When hashing a hard drive does not 
result in a unique digital fingerprint for an 
item, but instead the same hash value is 


produced. 

The way that the clients of sex workers 
describe prostitutes in online forums. 
Malaysian act that allows law 
enforcement to conduct a search 

to compel a suspect to provide all 
encryption keys or passwords in order to 
search computerized data. 

The Canadian military entity engaged in 
proactive network attack and defense. 
Being forced to give information in the 
context of a police investigation or criminal 
court proceeding. 

Communications technologies that utilize 
the Internet to connect individuals, such 
as email, Instant Messaging Systems, and 
Facebook. 

When the computer or network is the aim 
of the attack. 

When the computer itself is used as an 
instrument to commit a crime. 

When the computer is either involved in 
the commission of a crime but has a smaller 
role, or the computer is being used merely 
as a storage device. 

A term for a virus or malware designed to 
damage, destroy, or transmit information 
within a system without the permission of 
the owner. 

Crime in which the perpetrator uses special 
knowledge about computer technology to 
commit the offense. 

The sub-section of the US Department of 
Justice that prosecutes computer hacking 


cases at the federal level. 


Computer Emergency Response 
Team (CERT) 


Computer Forensic Tool Testing 


project (CFTT) 


Computer forensics 


Computer Fraud and Abuse Act 
(CFAA) 


Computer Network Attack 
(CNA) 


Computer Network Defense 
(CND) 


Computer Network Exploitation 
(CNE) 


Computer Security Incident 
Response Teams (CSIRT) 
Con 


Concept virus 


Conclusion 


Condemnation of the 


condemners 


An agency that serves as a coordinating 
point for responses to major network 
emergencies. 

Provides unbiased, open, and objective means 
for manufacturers, law enforcement, and the 
legal community to assess the validity of tools 
used in computer forensics. 

The investigation and analysis of media 
originating from digital sources in an effort 
to uncover evidence to present in a court 
of law. 

The first US federal law which made 

it illegal to engage in various forms of 
computer hacking and fraud. 

The offensive use of hacking techniques 

to affect a target in the context of 
cyberwarfare. 

The use of proactive defense techniques 

to secure a target in the context of 
cyberwarfare. 

The offensive use of hacking techniques and 
data collection methods to assess and affect a 
target in the context of cyberwarfare. 

A different name for Computer Emergency 
Response Team. 

A computer hacking or computer security 
conference. 

A form of malware that demonstrated 

the potential use of macro programming 
languages as a method of compromise. 

An overall summary of the findings derived 
from the examination. 

One of the five basic techniques Sykes and 
Matza developed that allows individuals to 
break from conformity, operating on the 
basis that those who would condemn their 
actions are hypocritical and doing so out of 


personal spite. 
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Confirmation bias 


Connected and Autonomous 
Vehicles (CAV) 


Contact tracing 


Copyright 


Copyright Act of 1976 


Copyright laws 
Corpus delicti 


Counter-Proliferation 
Investigations (CPI) Unit 


Crack 


The tendency to accept information 

that confirms our beliefs while rejecting 
information that contradicts them. 

Cars, trucks, and other vehicles that can be 
connected to the Internet in some fashion 
and may or may not be capable of self- 
driving or other routinized activities via 
software and hardware. 

Establishing a chain of connections 
between human actors in order to establish 
who may have been in proximity to an 
infected or contagious person so that they 
may be notified of their risk and tested to 
determine potential illnesses. 

A legal form of protection for intellectual 
property that provides exclusive use of 

an idea or design to a specific person or 
company, the right to control how it may 
be used, and legal entitlement to payment 


for its use for a limited period of time. 

The US federal law that removed the 
power to prosecute copyright infringement 
cases from state courts in 1976. 

Laws designed to protect the creators of 
intellectual property. 

Refers to the principle that a crime must be 
proven to have been committed. 

A unit within the US Immigration and 
Customs Enforcement (ICE) Homeland 
Security Investigations (HSI) agency 
focused on preventing and investigating 
any efforts by criminal and terrorist 
networks to obtain export controlled 
technology and military equipment. 

A term that emerged within the hacker 
subculture to recognize and separate 
malicious hacks from those supported by 
the hacker ethic. 


Cracker 


Criminal Justice and 
Administration Act 2008 
Criminal offense 


Critical Infrastructure Center 


CryptoLocker 


Cryptomarket 
Cult of the Dead Cow (cDc) 


Cyber Civil Rights Initiative 
(CCRI) 


Cyber Security Agency (CSA) 


Cyber trespass 
Cybercrime 


Cybercrime Act 2001 


A negative term referring to those who 
engage in deviant or criminal applications 
of hacking. 

This UK law criminalized the possession of 
extreme pornography. 

The violation of a law in which a crime 

is committed against the state, society as a 
whole, or a member of society. 

A US Department of Homeland Security- 
based organization designed to coordinate 
the protection of various forms of critical 
infrastructure. 

A form of malware that spreads via 
attachments in emails or as downloadable 
malware online that encrypts data on any 
hard drives attached to the infected system 
using a very strong encryption protocol 
and holds the user’s system hostage until 
payment is received. 

An illicit market operation on the so-called 
Dark Web that can take various forms. 

A well-known hacker group in the 1990s 
that developed the BO2K malware. 

A nonprofit organization operating to assist 
victims of cybercrimes both in the United 
States and internationally. 

A Singapore-based government agency 
proactively engaged in the attack and 
defense of government agencies online. 
The act of crossing boundaries of 
ownership in online environments. 

Crime in which the perpetrator uses special 
knowledge of cyberspace. 

Inserted a new section into the Crimes Act 
1914 giving law enforcement the ability to 
compel a person to provide all encryption 
keys or passwords when investigating a 


computer-related crime. 
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Cyber-deception and theft 


Cyberdeviance 


Cyber Fraud Task Forces 
(CFTEs) 


Cyber-porn 
Cybersecurity and Infrastructure 


Security Agency 


Cybersmile 


Cyberstalking 


Cyberterror 


All the ways that individuals may 

illegally acquire information or resources 
online. 

Any activity facilitated by technology 

that may not be illegal but is not socially 
accepted by the majority of groups in a 
local area. 

A public private partnership operated by 
the US Secret Service as a means to detect, 
investigate and prevent cybercrime. 

The range of sexually expressive content 
online. 

An agency within the US Department of 
Homeland Security (DHS) agency focused 
on managing and securing both cyber and 


physical critical infrastructure. 
A charitable organization, founded in 


2010, to educate the public on the 
harm caused by cyberbullying through 
service programs in schools and 
neighborhoods. 

Online communication that may lead 


a victim to feel fear for their personal 
safety and/or experience emotional 


distress. 
The premeditated, methodological, and 


ideologically motivated dissemination of 
information, facilitation of communication, 
or attack against physical targets, digital 
information, computer systems, and/or 
computer programs which is intended 
to cause social, financial, physical, or 
psychological harm to noncombatant 
targets and audiences for the purpose of 
affecting ideological, political, or social 
change; or any utilization of digital 
communication or information which 
facilitates such actions directly or 


indirectly. 


Cyberterrorism 


CyberTipline 


Cyber-violence 


Cyberwar 


Darkode 


Dark Web 


Data breaches 


Data recovery 
Daubert hearing 


Daubert standard 


Daubert trilogy 


The use of digital technology or 
computer-mediated communications to 
cause harm and force social change based 
on ideological or political beliefs. 

An electronic resource operated by the 

US National Center for Missing and 
Exploited Children that provides a way for 
individuals to report suspected incidents of 
child abuse, child pornography, and sexual 
exploitation online. 

The ability to send or access injurious, 
hurtful, or dangerous materials online. 
Term used to describe the use of cyberattacks 
in support of conflict between nation-states. 
A high-profile hacker site engaged in the 
development and sale of various pieces of 
malware and stolen data files. 

Websites and online content hosted on 
encrypted networks that can only be accessed 
through the use of specialized software clients 
and tools, such as TOR or Freenet. 

The illegal acquisition of mass quantities of 
information through hacking techniques. 
Process of salvaging digital information. 

A hearing in US courts to determine 
whether a piece of scientific evidence, a 
theory, or study is reliable and therefore 
admissible in court. 

The four criteria for determining whether the 
relevant scientific evidence, theory, or study is 
reliable, and therefore admissible in US courts, 
based on testing, publication, error rates, and 
acceptance of the theory or technique. 

The three cases that helped to establish 

the current interpretation of the Daubert 
standard. These cases are Daubert v. Merrell 
Dow Pharmaceuticals (1993), General Electric 
Co. v. Joiner (1997), and Kumho Tire Co. v. 
Carmichael (1999). 
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Daubert v. Merrell Dow 
Pharmaceuticals (1993) 
Dead-box forensics 


DefCon 


Defend Trade Secrets Act 
(DTSA) 


Definitions 


Deleted files 


Denial of a victim 


Denial of an injury 


Denial of responsibility 
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US court case which held that any 
scientific expert testimony presented in 
federal court must undergo a reliability test. 
The examination of powered-down 
computer components. 

An annual computer security and hacking 
conference held each year in Las Vegas, 
Nevada. 

A US law enacted in 2016 to allow those 
who own trade secrets to sue any party 

in federal court when that secret has been 
misappropriated. 

One of the four principal components of 
Akers’s social learning theory, suggesting 
that the way an individual views a behavior 
will affect their willingness to engage in 
that activity. 

A file whose entry has been removed from 
the computer’s file system so that this space 
is now marked as usable again. 

One of the five basic techniques Sykes and 
Matza developed that allows individuals 

to break from conformity, operating on 
the basis that there is no discernible victim 
(e.g., large corporation) or the “victim” 
deserved it. 

One of the five basic techniques Sykes and 
Matza developed that allows individuals to 
break from conformity, operating on the 
basis that no one or thing will get hurt or 
damaged. 

One of the five basic techniques Sykes 
and Matza developed that allows 
individuals to break from conformity, 
operating on the basis that some other 
person, event, or situation will be directly 
responsible for the offense and should be 


blamed. 


Denial of service 


Denigration 


De-NISTing 


Department of Defense Cyber 
Crime Center 


Department of Homeland 
Security 


DHS Cybersecurity and 
Infrastructure Security Agency 
(CISA) 


Deterrence theory 


Deviance 


Differential association 


Differential reinforcement 


A form of cyberattack where a service 
or resource supported by the Internet 
is overloaded with requests, keeping 


legitimate users from access. 
A form of cyberbullying involving making 


comments about individuals’ characters or 
behaviors that are designed to harm their 


reputation, friendships, or social positions. 
The process of filtering the dataset and 


removing non-user-created files. 
A specialized agency run by the Air Force 


to perform forensic analyses and training 
for attacks against DoD computers and 


defense contractors. 
The US federal department that houses 


multiple law enforcement entities and 
coordinates responses to cyberthreats and 


attacks. 
The US Department of Homeland 


Security-specific agency tasked with 
a whole of government approach to 


cybersecurity and infrastructure protection. 
This perspective argues that humans will be 


deterred from choosing to commit crime 
if they believe that punishments will be 


certain, swift, and proportionately severe. 
A behavior that may not be illegal, though 


it is outside of the formal and informal 


norms or beliefs of the prevailing culture. 
One of the four principal components 


of Akers’s social learning theory, arguing 
that who we associate with influences our 
willingness to engage in crime and our 


exposure to definitions supporting offending. 
One of the four principal components of 


Akers’s social learning theory, arguing that the 
punishments or positive reinforcement we 
receive after engaging in crime will influence 


our willingness to perform that act again. 


Glossary 


719 


Glossary 


720 


Digital age 
Digital evidence 
Digital forensics 
Digital immigrant 


Digital Millennium Copyright 
Act (DMCA) 


Digital native 


Digital piracy 


Disinformation 


Distributed denial of service 
(DDoS) attack 


Distributor 


Double jeopardy clause 


The era of digital technologies. 
Information that is either transferred or 
stored in a binary form. 

The analysis of digital evidence, which 
includes network, computer, mobile 
device, and malware forensics. 

Those born before the creation of the 
Internet and digital technologies. 

US law designed to directly affect media 
piracy online through further revisions 

to the Copyright Act by extending 
protection to various music and 
performances that have been recorded in 
some fashion. 

Youths who were brought into a world 
that was already digital, spend large 
amounts of time in digital environments, 
and utilize technological resources in their 
day-to-day lives. 

A form of cybercrime encompassing 

the illegal copying of digital media such 

as computer software, digital sound 
recordings, and digital video recordings 
without the explicit permission of the 
copyright holder. 

The creation and spread of false information, 
particularly in online environments, to affect 
the social, political, or economic functions 
of a nation. 

When individuals send multiple requests to 
servers that house online content to the point 
where these servers become overloaded and 
are unable to be used by others. 

An individual who actively shares CSAM/ 
CSEM online. 

US legal clause that states that an individual 
is protected from being prosecuted or 
punished twice for the same crime. 


Dread Pirate Roberts 


Drift 


Drive slack 


Due process clause 


e-jihad 


Electronic Communications 
Privacy Act (ECPA) 


Electronic Pearl Harbor 


Elk Cloner 


EnCase® 


The handle for Ross William Ulbricht. 
Ulbricht was the site administrator for the 
Silk Road. 

Term used by David Matza to refer to 
the transition between criminality and 
conformity without accepting a deviant or 
criminal identity. 

When the operating system does not 
overwrite old information that was once 
available on the storage device between the 
start of the next sector and the end of the 
cluster. 

US legal clause that states that the 
government cannot deprive someone 

of “life, liberty, or property” without 
due process, meaning the government 
must follow rules and procedures for 
conducting legal procedures to limit 
arbitrary decisions. 

Term used to describe the use of the 
Internet as a venue for indoctrination and 


cyberattack by Islamic extremist groups. 
The US law that enabled law enforcement 


to obtain the name and address of ISP 
subscribers, along with personal details and 
sensitive data. 

Term used to refer to an unexpected and 
catastrophic cyberattack against the United 


States. 
An early form of malware, designed to 


infect Apple II computers via a floppy disk 
that did not cause any actual harm but was 


difficult to remove. 
A forensics tool created by Guidance 


Software in 1997. This automated tool can 
image a drive, without altering its contents, 
and then verify that the image is an exact 
copy of the original drive. 
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Encrypted chat applications 


Encrypted email 


Encryption 


Endangered Child Alert Program 
(ECAP) 


Enterprise Phase 


Escort 


European Union Directive 
2001/29/EC 


European Union Directive 
91/250/EEC/2009/24/EC 


Evidence integrity 


Examination/analysis stage 


A type of text-based messaging 
application for use on mobile devices 

that are encrypted so as to conceal the 
communications from others. 

A form of email that utilizes end-to-end 
encryption to conceal the contents from 
others. 

The process of transforming text, such as 
an email, through the use of mathematical 
algorithms so that it is no longer legible to 


others. 

A US FBI-led program that seeks to 
identify the adults featured in some child 
exploitation content so they may be 
brought to justice. 

The period of digital forensic 
technologies in the early 2000s marked 
by familiarity with digital evidence 
handling and the creation of tools 
specifically designed for digital forensic 
analysis. 

A type of sex worker who operates 
behind closed doors and typically makes 
appointments with clients rather than 
soliciting publicly. 

Also known as the Copyright Directive, 
this European Union statute establishes 
guidelines concerning the adequate legal 
protection of copyrighted materials through 
technological means. 

A European Union statute that provides 


legal protection for computer programs 
and harmonized copyright protection 


across the EU. 
The reliability and truthfulness of the 


evidence. 
The stage of digital forensic investigation 


involving data recovery/extraction and 
analysis of digital data. 


Exit scam 


Exclusion 


Exigent circumstance 


Export Enforcement 
Coordination Center (E2C2) 


Exploit 


Exploit packs 


External Attackers 


External hard drives 


Extraction 
Extreme pornography 


A scheme whereby cryptomarket operators 
amass a large amount of money from 
customers that is being held in escrow to 
complete transactions and then take all 
those funds and close the market without 
warning. This leaves all participants with 


no way of gaining back their funds. 
A form of cyberbullying involving 


intentionally keeping others from joining 
an online group, such as a network on 


Facebook or some other site online. 
Refers to emergency situations that allow law 


enforcement officers to conduct a warrantless 
search when they believe people are in danger 
or potential evidence will be destroyed. 

A US-based operational enforcement 
agency that is housed within ICE as a 
means to regulate the flow of goods and 
investigate criminal activities. 

A program that can take advantage of 
vulnerabilities to give the attacker deeper 


access to a system or network. 

A form of malware that can infect web 
browsers and thereby enable remote 
takeovers of computer systems. 

Individuals who do not have legitimate 

or legal access to a network who attempt 
to gain access through the use of various 
hacking techniques. 

Portable storage devices located outside of 
the computer and are usually connected via 
a USB port. 

See data recovery. 

UK-centric definition for materials produced 


for the purpose of sexual arousal which depicts 
acts that “threaten a person’s life; acts which 

result in or are likely to result in serious injury 
to a person’s anus, breasts or genitals; bestiality; 


or necrophilia.” 


Glossary 


723 


Glossary 


724 


Fair and Accurate Credit 
Transactions Act of 2003 


Federal Bureau of Investigation 
(FBI) 


Federal Bureau of Investigation’s 
Violent Crimes Against Children 
(VCAC) 


Federal Rules of Evidence 
(FRE) 
Federal Trade Commission 
(FTC) 


Federation Against Copyright 
Theft (FACT) 


Fifth Amendment 


File 
File Allocation Table (FAT) 


File carving 


File extension 


The US law that provides multiple 
protections to help reduce the risk of 
identity theft and assist victims in repairing 
their credit in the event of identity theft. 

A prominent US federal law enforcement 
agency that can be involved in the 
investigation of most forms of cybercrime, 
particularly hacking, financial crimes, and 
cyberterrorism. 

This US-based law enforcement agency 
investigates a range of sexual offenses and 
criminal activities that affect youth, ranging 
from child pornography to sex trafficking 
to kidnapping. 

Governs the admissibility of evidence in 
federal court proceedings in the United States. 
An independent watchdog agency within 
the US federal government responsible for 
consumer protection and monitoring the 
business community. 

The primary trade organization in the 
United Kingdom dedicated to the protection 
and management of intellectual property, 
notably that of film and television producers. 
The Fifth Amendment to the US 
Constitution that protects an individual from 
self-incrimination, double jeopardy, and 
deprivation of liberty without due process. 
A piece of computer-based data. 

The type of file system used in older 
versions of the Windows operating systems. 
The process of searching for a certain file 
signature in a hard drive and attempting to 
extract the associated data without regard 
for the file system. 

The part of the file’s name that tells the 
operating system what program to use to 
open it. 


File sharing 


File signature 


File slack 


File system 


Financial Coalition Against 
Child Pornography (FCACP) 


Fisher v. United States (1976) 


Five Eyes 


Flaming 


FloodNet 


The process of electronically exchanging 
intellectual property over the Internet without 
the permission of the original copyright holder. 
An identifying value for the content of a 
computer file. 

The leftover space between the end of the 
file and the end of the last storage unit for 
that file. 

The way in which data is organized and 
retrieved on a computer hard drive. 

A coalition that comprises 39 financial 
institutions and Internet service providers 
who are jointly operating to take complaints 
of child pornography and disrupt the 
businesses that are engaged in the sale of or 
profit generation from this content. 

US court case which demonstrated that 
statements given voluntarily to police 

and criminal justice system actors are not 
protected by the Fifth Amendment. 

A colloquial term used to reference 

the working relationships between the 
Australia, Canada, New Zealand, the UK, 
and US governments, particularly as relates 
to intelligence collection and analysis. 

A form of cyberbullying involving 
engaging in online fighting where users 
directly target one another with angry or 
irritated messages, often featuring vulgar 
language. 

The DDoS tool that was developed by 

the Electronic Disturbance Theater. The 
program could be downloaded directly 
from their website to be utilized by 
individuals who shared their perspectives 
on the use of the Internet as a space for 


social activism. 
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Florida Computer Crimes Act 
of 1978 


Food and Drug Administration 
(FDA) Office of Criminal 
Investigations (OCI) 

Footer 


Forensic confirmation bias 


Forensic science 


Forensic soundness 


Forensic Toolkit® (FTK) 


Forum for Incident Response 
and Security Teams (FIRST) 


Fourth Amendment 


Fragmented 


The US state law that was the first codified 
state statute regarding computer crime, 
involving offenses against intellectual 
property, offenses against computer 
equipment or supplies, and offenses against 
computer users. 

The criminal investigation arm of the 
US-based Food and Drug Administration 
to combat a range of offenses. 

The last few bytes that mark the end of 

a file. 

Term referencing the class of effects 
through which an individual’s preexisting 
beliefs, expectations, motives, and 
situational context influence the collection, 
perception, and interpretation of evidence 
during the course of a criminal case. 

The application of science to the law, 
meaning the scientific process of gathering 
and examining information to be used by 
the criminal justice system. 

The validity of the method for collecting 
and preserving evidence. 

Commercial software commonly used 

in digital forensic investigations that was 
created by AccessData. It is capable of 
imaging a hard drive, scanning slack space, 
and identifying steganography; however, 

it is also capable of cracking passwords and 
decrypting files. 

A global organization that serves 

to coordinate information sharing 

and connections between all teams 
worldwide. 

Limits the US government’s ability to search 
and seize evidence without a warrant. 

A file that is stored in nonconsecutive 
sectors on a computer hard drive. 


Fraud 


FRE Rule 401 


FRE Rule 702 


FRE Rule 801 


FRE Rule 901 


Free space 
French postcards 


Frye standard 


Frye v. United States (1923) 


Fusion Center 


Gatekeeper 


Wrongful or criminal deception intended 
to result in financial or personal gain. 
Defines relevance as the tendency to make 
the fact being presented in a case more or 
less probable. It also defines authenticity 

as the ability to prove that the evidence is 
genuine. 

States that if scientific, technical, or other 
specialized knowledge will assist the 

trier of fact to understand the evidence 

or to determine a fact in issue, a witness 
qualified as an expert by knowledge, skill, 
experience, training, or education may 
testify thereto in the form of an opinion or 
otherwise. 

States that hearsay is considered second- 
hand evidence, meaning it is testimony not 
based on first-hand or personal knowledge. 
States “the proponent must produce 
evidence sufficient to support a finding that 
the item is what the proponent claims it is.” 
The portion of the hard drive that has yet 
to be assigned to a partition. 

Images of nudes printed on postcard stock 
and sent through the mail to others. 

States that scientific evidence is only 
admissible if it is generally accepted as 
reliable by the scientific community. 

US court case that led to the development 
of the Frye standard for the presentation of 
scientific evidence. 

A joint operational policing resource found 
in the United States, often at the state 
level, that acts as a coordination point for 
criminal and terrorism-related threats. 

A term used to refer to a judge in the 
context of assessing both the relevance and 


reliability of scientific evidence. 
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General Electric Co. v. Joiner 
(1997) 


General strain theory 


General theory of crime 


Geneva Convention 


Girlfriend experience (GFE) 


Golden Age 
Google Glass 


Grand jury 


Gray-hat hacker 


Grooming 


AUS court case that demonstrated that not 
only was scientific evidence under review 
but so was the methodology and reliability 
of an expert’s reasoning process. 

An individual-level theory developed by 
Robert Agnew that discusses the role of 
frustrations leading to negative emotions 
which, if not addressed appropriately, can lead 
individuals to engage in crime as a response. 
Gottfredson and Hirshi’s theory that argues 
that crime stems from low self-control and 
opportunities to offend. 

A series of treaties and protocols that establish 
legal standards for conduct in warfare. 

A term used by the customers of prostitutes 
to refer to a sexual experience meant to 
feel like a consensual relationship with no 
money involved. 

See Enterprise phase. 

A form of wearable technology created by 
the company Google. These thin glasses 
come with a wearable computer featuring a 
heads-up display that is voice activated and 
controlled. Users can do a variety of things 
while wearing Glass, including taking 
photos and videos, searching the Internet, 
checking email, and several other activities 
that are evolving through the creation of 
new applications. 

A group of people who determine whether 
or not there is enough evidence to formally 
charge the individual with a crime. 

A group of hackers that falls between 
black- and white-hat hackers who have 
shifting or changing ethics depending on 
the specific situation. 

The misuse of the Internet by using it to 
engage in inappropriate communication 
with children. 


Hack 


Hack_Right 


Hacker 


Hacker space 


Hacktivism 


Handheld devices 


Handle 
Hands-on contact offenders 


Harassment 


Hard drives 
Hardware 


Hash 
Hash algorithm 


The modification or alteration of computer 
hardware or software to enable technology 
to be used in a new way, whether for 
legitimate or illegitimate purposes. 

A strategy of minimizing involvement 

in criminal hacking among juveniles 

by detecting their behaviors early and 
diverting them toward white-hat activities, 
first implemented in the United Kingdom 
and the Netherlands. 

An individual who modifies or alters 
computer hardware or software to enable 
technology to be used in a new way. 

A physical location where individuals can 
converge to discuss technology and learn 
from one another. 

Using hacking techniques to promote an 
activist agenda or express their opinion. 

A source of potential electronic 
information that includes mobile phones, 
digital multimedia devices (e.g., iPod), 
digital cameras, and global positioning 
systems (GPS). 

The nicknames used by individuals in on 
and offline environments. 

Individuals who have engaged in physical 
contact sexual offenses. 

The repeated distribution of cruel or mean 
messages to a person in order to embarrass 
or annoy them. 

Data storage devices used for storing and 
retrieving data. 

The tangible or physical parts of a 
computer system. 

A fixed value (output) — see also hashing. 
A set of calculations that takes an arbitrary 
amount of data (input) and creates a 

fixed value (output) that acts as a unique 
reference number for the original data. 
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Hashing 
Header 


Hearsay 


Hidden files 


Hitman 
Hypothesis 
I/O error 


Identification document 


Identity fraud 


Identity theft 


Identity Theft and Assumption 
Deterrence Act of 1998 


Identity Theft Enforcement and 
Restitution Act of 2008 


The process of creating a hash value from a 
variable amount of data. 

The first few bytes that mark the beginning 
of a file. 

Term used to refer to second-hand 
evidence, or information obtained on a 
first-hand or personal knowledge basis. 
Files that have been manipulated in such a 
way that the contents of the original file are 
concealed. 

An individual who engages in acts of 
violence on a fee-for-service basis. 

A reasonable explanation as to what might 
have occurred or why. 

Input/output errors that are often the result 
of a bad sector on a hard drive. 

A document made or issued by or under the 
authority of a government with information 
concerning a particular individual intended 
to serve as a form of identification. 

Within the United Kingdom, this term 
refers to the illegal misuse of a document 
made or issued by or under the authority of 
the government. 

Within the United States, this term refers 

to the unlawful use or possession of a means 
of identification of another person with the 
intent to commit, aid, or abet illegal activity. 
This US law made it a federal crime 

to possess, transfer, or use a means of 
identification of another person without 
authorization with the intent to commit or 
aid in the commission of illegal activity at 
the local, state, or federal level. 

This US federal act allows offenders to 

be ordered to pay restitution as a penalty 

to victims of identity theft and enhanced 


existing laws regarding cybercrime. 


Identity Theft Penalty 
Enhancement Act of 2003 


Imaging 


Imitation 


Immigration and Customs 
Enforcement (ICE) 


Impersonation 


In re Boucher (2007) 


Incidental 


Incriminating 


Indian Music Industry (IMI) 


Information Age 


This US act added two years to any prison 
sentence for individuals convicted of a 
felony who knowingly possessed, used, or 
transferred identity documents of another 
person. 

The process of making an exact copy (bit 
by bit) of the original drive onto a new 
digital storage device. 

One of the four principal components of 
Akers’ social learning theory, suggesting 
that an individual’s first act of deviance 

or criminality is an attempt to model the 
behavior of their peers and intimate others. 
The US federal agency that manages 

the processing and prosecution of illegal 
immigrants and the movement of materials 
through the borders of the nation. 

A form of cyberbullying involving falsely 
posting as other people to harm their 
reputation or social status by logging into 
their existing accounts to post messages or 
by creating fake accounts to masquerade as 
that person. 

US court case which led to Fifth 
Amendment challenges to encryption 
protocols. 

When the computer is either involved in 
the commission of a crime in a smaller 
accompanying role or is being used merely 
as a storage device. 

Information that implicates an individual in 
a criminal incident or wrongdoing. 

A trust representing the recording industry 
distributors of the country of India, similar 
to the RIAA in the US. 

Period of time marked by the increased 
production, transmission, consumption of, 


and reliance on information. 
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InfraGard 


Inspire 


Integrated National Security 
Enforcement Teams (INSET) 
Intellectual property 


Internal Attackers 


Internal hard drives 
International Center for 


Missing and Exploited Children 
(ICMEC) 


International Criminal Tribunal 


Internet Crime Complaint 
Center (IC3) 


A nonprofit public-private partnership 
designed to facilitate information sharing 
between academics, industry, and law 
enforcement. 

An jihadist-oriented online publication 
released by the terrorist organization 
AQAP to influence the behavior of 
individuals across the globe. 

Canadian counter-terrorism security forces 
housed under Public Safety Canada. 

Any work or artistic endeavor created by 
an individual which has been fixed in some 
form, such as being written down. 
Individuals with legitimate access to a 
network or computer resources, often as 
employees, who attempt to gain access to 
resources they cannot use through the use 
of various hacking methods. 

Hard drives that are installed inside a 
computer or device. 

A nonprofit agency with a similar mission to 
the NCMEC, though it is focused on building 
partnerships in a global context to better 
investigate child exploitation cases and build 
the legal capacity of nations so that there is 
consistency in laws to prosecute these offenses. 
The formation of a truly international court 
that could represent the victim nations and 
offenders could be a valuable tool to pursue 
cases where multiple nations were affected 
by a group of actors. 

A collaborative effort of the National 
White Collar Crime Center (NW3C) 

and the FBI operating for crime victims, 
consumers, and researchers to understand 
the scope of various forms of online fraud. 
Victims can contact the agency through an 
online reporting mechanism that accepts 
complaints for a range of offenses. 


Internet Crimes Against 
Children (ICAC) 


Internet Relay Chat (IRC) 


Internet of Things 


Involuntarily Celibate (Incel) 


Irhabi007 


Islamic State of Iraq and Syria 
(ISIS) 


Johns 
Joint Terrorism Task Force 
(TTF) 


Jus ad bellum 


Jus in bello 


Just compensation clause 


US-based local task forces that provide a 
mechanism for coordination between local, 
state, and federal law enforcement, as well 


as prosecutors, to combat child sex offenses. 
A protocol created in 1988 that allows 


for real-time text messaging, mostly for 
group discussions in chat rooms, between 


internet-connected computers. 
All non-computing devices connected 


together via the Internet, including 


thermostats, refrigerators, and other appliances. 
An individual who does not have sexual or 


emotional relationships with others, though 
not by their choice. These individuals 
communicate in online forums and are 
increasingly willing to engage in violence 
against the opposite sex out of anger or 


frustration. 
The screen name of Younes Tsouli, a 


UK-based hacker who engaged in a series 
of hacks in support of jihadist ideologies 


online and offline. 
A terrorist organization formed in the wake of 


the war in Iraq, which has engaged in serious 


acts of mass-violence around the world. 
A term used to refer to the customers of 


prostitutes. 
US-based multiagency partnerships 


between local, state, and federal agencies to 
investigate and respond to terrorist threats 


and terror-related crimes. 
A set of guidelines that help to determine 


the permissibility, or just nature of a 


decision to engage in war. 
A set of guidelines for the conduct of 


participants in an armed conflict. 
States that any property taken by the 


government must be for public use and the 
owner must be fully reimbursed its market 


value. 
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Katz v. United States (1967) 


Key disclosure law 


Keyword search 


Kumho Tire Co. v. Carmichael 
(1999) 


Lamer 


Latent 
Law Reform Commission 


Legacy systems 
Liable 


Liberty Reserve 


Logical extraction 


Lori Drew 


Low Orbit Ion Cannon (LOIC) 


Macro virus 


Key US court case that defined an 
individual’s right to privacy in public spaces. 
Legislation that mandates a person to 

provide encryption keys or passwords to law 
enforcement for digital forensic investigations. 
The process of using a word or series of 
words to conduct a search in the entire 
physical drive of a computer regardless of 
the file systems. 

US court case that helped inform the 
Daubert standard of evidence. 

A term used by hackers to refer to individuals 
with limited capacity and/or skills. 

Another term for hidden. 

Irish body of law that helped inform 
standards of evidence. 

Outdated computer systems, devices, or 
software. 

Civil and criminal responsibility for a 
behavior or specific activity. 

An electronic payment processor that is 
being prosecuted in the United States for 
its role in money laundering for various 
forms of crime. 

The process of identifying and recovering 
data based on the file systems present on 
the computer hard drive. 

A woman alleged to have created a 
fictitious MySpace profile in order to harass 
a 13-year-old girl named Megan Meier, 
who eventually committed suicide as a 
result of contact with Drew’s profile. 

The DDoS tool that is used by the group 
Anonymous to support attacks against 
personal, industrial, and government targets 
around the world. 

A popular way to infect systems by using a 
common weakness in a variety of popular 
programs like Excel, Word, and PDFs. 


Macro programming language 


Magic numbers 
Malicious Communications Act 
1998 


Massage parlor 


Master file table (MFT) 


Megan Meier 


Megan Meier Cyberbullying 


Prevention Act 


Melissa virus 


Message Digest Version 5 
(MD5) 


Metropolitan Police Central 
e-crime Unit (PCeU) 


A programming language common to 
Microsoft Office products that was used by 
virus writers to compromise user systems. 
See file signatures. 

Enables individuals to be prosecuted for 
sending messages to another person for 
the purpose of causing fear or anxiety. 
Revised in 2001 to include electronic 
communications of any kind that convey 
a threat, indecent or offensive content, or 
information that is false. 

A business that operates as a supposedly 
legitimate massage clinic but actually 
provides sexual services to clients. 
Contains information about all of the files, 
folders, and directories on a drive. 

A young woman who committed suicide 
after receiving bullying messages from a 
fake MySpace profile, alleged to have been 
created by Lori Drew, the mother of one 
of Megan’s friends. 

Proposed US federal legislation would have 
made it illegal for anyone to use CMC 

“to coerce, intimidate, harass or cause 
substantial emotional distress to a person,” 

or use electronic resources to “support 

severe, repeated, and hostile behavior.” This 
resolution was not successfully passed into law. 
A well-known virus that spread throughout 
the globe in the 1990s. 

A type of hashing algorithm that takes 

a large amount of data of arbitrary 

length (input) and calculates a unique 
“fingerprint” of this data expressed as a 
unique combination of hexadecimal digits 
of a specified length (output). 

The London, England police agency that 
responds to serious forms of cybercrime 
affecting citizens. 
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Microsoft Digital Crimes Unit 


Mileage 


Miller v. California 


Motris worm 


Motion Picture Association of 


America (MPAA) 


Motivated offender 


MP3 format 


MuTation Engine (MtE) 


Napster 


Nation-state actor 


National Centre for 
Cyberstalking Research 
National Center for Missing and 
Exploited Children (NCMEC) 


A working group created by the Microsoft 
Corporation to combat cybercrime in 
conjunction with law enforcement. 

Term used by the customers of prostitutes 
in web forums to refer to the appearance 
of sex workers and their deterioration in 
appearance over time in the sex trade. 

US court case that established the 
definition of obscene content that is still in 
use today. 

The first worm created by Robert Morris 
that caused substantial harm to the Internet 
in the 1980s. 

The US association that operates to protect 
the intellectual property of their artists and 
creative producers. 

Variable within routine activity theory that 
constitutes any individual or group who has 
both the inclination and ability to commit 
crime. 

A software standard designed to compress 
audio files. 

A polymorphic generator that not only 
encrypts a virus but randomizes the routine 
used so that it varies with each replication. 
A popular file sharing program developed 
in 1999 that allowed a larger population of 
Internet users to engage in piracy. 

Hackers who engage in attacks at the 
behest of or in cooperation with a 
government or military entity. 

A UK-based research center designed to 
address the problem of cyberstalking. 

One of the key nonprofit organizations in 
the United States that deals with missing 
children and child exploitation. It performs 
multiple roles to facilitate the investigation 
of crimes against children. 


National Counter Terrorism 
Policing Network (NCTPN) 


National Crime Agency (NCA) 


National Crime Victimization 
Survey-Supplemental Survey 
(NCVS-SS) 

National Domestic Extremism 
and Disorder Intelligence Unit 


National Fraud Authority (NFA) 


National Fraud Intelligence 
Bureau (NFIB) 


National Incident-Based 
Reporting System (NIBRS) 


National Intellectual Property 
Rights Coordination Center 


(NIPRCC) 


National Police Forces 


National Policy Institute (NPI) 


The UK-based collaborative network 
designed to link police forces involved 

in the prevention, deterrence, and 
investigation of terrorism. 

UK national criminal justice agency 

that has both national and international 
reach and works in partnership with law 
enforcement organizations to particularly 
focus on serious and organized crime. 

A US-based survey with a nationally 
representative sample of respondents that 
demonstrates the prevalence and incidence 
of cyberstalking. 

The UK-based national police unit 

tasked with investigating and combatting 
homegrown acts of terror and extremism 
within England and Wales. 

UK agency was formed in 2008 in order 
to increase cooperation between the public 


and private sectors to investigate fraud. 
The NFIB collects information on various 
forms of fraud and aggregates this data 
along with reports from business and 
industry sources into a large database 
called the NFIB Know Fraud system. It is 
operated by the City of London police. 
The US-based incident reporting system 
used by law enforcement agencies to 
collect and report data on crime. 

The US-based center housed within the 
Department of Homeland Security that 

is responsible for enforcing intellectual 


property laws. 
Law enforcement agencies that respond 


to and investigate incidents that cut across 


state or other internal territorial boundaries. 


A US-based white supremacist think tank 
and lobbying group focused on alt-right 


and other extremist group interests. 
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National Security Agency (NSA) 


National Security Investigations 


Division 


National Software Reference 
Library (NSRL) 


Nation-state 


Necrophilia 


Neighborhood Children’s 
Internet Protection Act 
(NCIPA) 


Nested search 
Network Investigative 
Technique (NIT) 


Network Forensics 


New Technology File System 
(NTFS) 

No Electronic Theft (NET) Act 
of 1997 


Non-nation-state-sponsored 


actor 
Noob/Newbie 


The US agency which supports offensive 
and defensive operations in support of US 
military and civilian networks. 

A uni within the US Immigration and 
Customs Enforcement (ICE) Homeland 
Security Investigations (HSI) agency 
focused on the investigation of criminal 
enterprises, organizations, and foreign 
intelligence actors within the US. 

The US NIST-supported reference library 
that maintains details on various software 
programs. 

A nation-state is any sovereign nation with 
a defined territory and a governmental 
organizational structure. 

Experiencing sexual arousal from sex with 
the dead. 

This US law requires Internet filtering 
technology in public libraries to block young 
people from accessing harmful content, 
including pornographic and obscene materials. 
A search within a search. 

The use of hacking and/or malicious 
software by law enforcement agencies, 
particularly the FBI in the United States, 
which may or may not be legal. 

The use of digital forensic capture and 
analysis methods against a live network of 
computer systems. 

The current file system for Windows NT 
operating systems. 

A US federal law designed to increase the 
penalties for the duplication of copyrighted 
materials. 

An individual who acts without any sort of 
state or military backing. 

An individual new to hacking and with 
minimal knowledge of technology. 


North Atlantic Treaty 
Organization (NATO) 


NotPetya 


Object code 


Obscene Publications Act (OPA) 
1959 


Obscene Publications Act 1857 


Obscenity 


Observation 
One Ummah 


Online harassment 


Open-field searches 


Open Markets 


An intergovernmental military alliance linking 
European and North American nations to 
secure their interests and improve the state of 
collective security across all groups. 

A form of malicious software, thought 

to have been created by the Russian 
government, that appears to operate like 
ransomware but actually causes substantive 
harm to any infected computer system. 
Code that restricts the ability of users to 
modify and share the software due to 
copyright infringement. 

Law applicable in England and Wales that 
indicates any article may be obscene if 

its effect on the audience member who 
reads, views, or hears it is to “deprave and 
corrupt.” 

This UK act made it illegal to sell, possess, 
or publish obscene material, which was not 
clearly defined in the law. 

Term used to refer to content that may 

be indecent, lewd, or vulgar, which varies 
based on the legal standards of a given 
nation. 

The first stage of the scientific method. 
An international nonprofit charity to 
provide assistance to individuals in need. 
The repeated distribution of cruel or mean 
online messages to a person in order to 
embarrass or annoy them. 

A form of legal search that can be 
conducted by law enforcement without 

a warrant in any open field or large area 
that cannot be considered persons, houses, 
papers, or effects. 

A type of illicit market with no barriers to 
entry for any participant, whether as buyer 


or seller. 
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Open-source software 


Operation Aurora 


Operation Olympic Games 


Operation Predator 


Operation Rescue Me 


Operation Spade 


Operation: Bot Roast 


Original writing rule 


Outing 


Partition recovery 


Software programs that can be freely used, 
modified, and shared with anyone. 

The name given to a series of cyberattacks 
against various major corporations to steal 
sensitive intellectual property information, 
which appeared to originate in China. 

The name of a classified US military 
operation to disrupt the Iranian nuclear 
program. 

This US ICE-led program is designed 

to facilitate the investigation of child 
exploitation in the United States and 
abroad. 

This US FBI-led program has been in 
operation since 2008 to identify victims of 
child exploitation based on their appearance 
in images or video of child pornography. 
Name given to a multinational 
investigation of a child pornography 

ring operating out of multiple nations to 
produce content. 

An investigation conducted by the US FBI 
targeting botnet operators. 

States that the original evidence, rather 
than a duplicate, is generally required unless 
the duplicate can be authenticated and it 
can be proven that its contents are the same 
as the original. 

A form of cyberbullying involving the posting 
of real personal information about individuals 
to embarrass them, such as sending images 

of them in states of undress, posting who 

they are attracted to, or information about 
homosexual preferences which may not be 
known to the general public. 

The process of evaluating the partition 
table and the unused space on the physical 
hard drive of a computer. 


Partition table 


Partitioning 


Partitions 


Password-protected files 


Patent 
Payload 


Pedophile 


Peer-to-peer (P2P) file sharing 
protocols 


People’s Liberation Army of 
China (PLA) 
Peripheral device 


Personal Identification Number 
(PIN) 
Personally identifiable 


information (PII) 


Philippine Rules of Electronic 
Evidence (PREE) 


Phishing 


Computer-based reference description for 
how the operating system has divided the 
hard drive into partitions. 

The process of dividing up a computer 
hard drive into separate storage spaces. 
Separate storage spaces in a computer hard 
drive that determines how much space is 


allocated to each storage bin, or partition. 
Locked files that require a password to gain 
access. 

See Copyright. 

The changes that a piece of malware causes 


to a computer system upon activation. 
An individual with a sexual attraction to 
individuals under the age of 18 years. 
Protocols that enable direct file sharing 
between two computer systems over the 
Internet. 

The name of the Chinese military. 


Externally connected components that are 
not considered essential parts of a computer 
system, such as scanners, printers, and 
modems. 

The four-digit number used as a password 
to secure access to bank accounts at ATMs. 
Information that is unique to an individual 
that can be used on its own or with other 
information to identify, locate, or contact a 
single individual. 

This specifically outlines the admissibility 
rules for electronic evidence compared to 
the Philippine Rules of Evidence (PRE), 
which is a separate standard for non- 
electronic evidence. 

Using email messages to try to acquire 
bank account information or other valuable 


information from victims. 
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Phreaking 
Physical extraction 


Pirate Bay 
Plain view doctrine 


Plaintext 
Police Agencies 


Police and Justice Act 2006 


Police Intellectual Property 
Crime Unit (PIPCU) 


Pornography 


Prediction 


Pre-forensics 


Preponderance of evidence 


Preservation 
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The act of using hacking techniques to 
exploit vulnerabilities within telephony. 
The process of salvaging digital 
information. 

A well-known group that enables piracy. 
Allows law enforcement officers to conduct 
a search and seizure for evidence that 

may not be in the search warrant but is in 
plain view and its incriminating nature is 
immediately apparent. 

A legible message or piece of content. 

An agency empowered by a state with 

the responsibility to enforce laws within 

a specific set of geographical boundaries, 
including the power to arrest individuals and 
use force when necessary to maintain order. 
The UK law that enhanced sentences for 
computer hacking cases. 

A unit in the London Police that 
investigates and handles various forms of 
piracy. 

The representation of sexual situations and 
content for the purposes of sexual arousal 
and stimulation. 

A specific statement as to how you will 
determine if your hypothesis is true. 

A term used to refer to the 1980s 
regarding digital forensic technologies, 
characterized by the lack of formal 
structure, protocols, training, and 
adequate tools. 

Means it must be more likely than not that 
the accused in fact committed whatever 
acts they are accused of. 

Making a copy of the original data files for 
examination in a way that minimizes the 
possibility of any changes being made to 
the original data files. 


PRISM program 


Probable cause 


Process models 


Project Zero 


Proprietary software 
Prosecutorial Remedies 

and Other Tools to end the 
Exploitation of Children Today 
Act (or PROTECT Act) of 
2003 


Prostitution 


Protection from Harassment Act 
1997 (c40) 


An NSA-implemented program beginning 
in 2007 to collect email and other 
electronic communications data of all 
sorts, carried out through cooperative 
relationships with various technology 
companies, including Apple, Facebook, 
Google, Microsoft, and Skype. 

Means there must be adequate reasons or 
justifications, rather than mere suspicion, to 
conduct a search. 

Techniques and strategies designed to provide 
practical guidelines and procedures for 
conducting a digital forensic investigation. 

A security threat hunting team searching 
for zero-day vulnerabilities, employed by 
Google. 

See closed source. 

This US law criminalized virtual child 
pornography and extended the legal 
definition to include “‘a digital image, 
computer image, or computer-generated 
image that is, or is indistinguishable from, 
that of a minor engaged in sexually explicit 
conduct.” 

The practice of paying for sex, which 
may or may not be illegal depending on 
place. 

This UK law criminalized stalking and 
bullying in professional settings. Section 4 
of the Act criminalizes the act of putting 
others in fear of violence, defined as 

any course of conduct that would cause 
“another to fear, on at least two occasions, 
that violence will be used against him,” 
where the offender “is guilty of an offence 
if he knows or ought to know that his 
course of conduct will cause the other so to 
fear on each of those occasions.” 
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Protection of Freedoms Act 
2012 


Proxy server 


Pump and dump messages 


Punternet 


QAnon 


RAM slack 


Radical Far Right 


Random access memory (RAM) 


Ransomware 


Read-only 


Reasonable expectation of 


privacy 


Reasonableness clause 


Revised the Protection from Harassment 
Act 1997 to include language specifically 
related to stalking and incorporate aspects 
of technology into law. 

A server that can be used to hide a 
computer’s location by acting as an 
intermediary between a computer and the 
servers and systems it connects to through 
the Internet. 

A form of spam-enabled fraud that attempts 
to manipulate the value of corporate stocks. 
A UK-based website designed for 
individuals to post reviews of escorts and 
sex workers. 

A global conspiracy theory centered on 
the belief that Democrats, celebrities, and 
others in positions of power are actually 
pedophiles who kill children in ritualistic 
methods. 

When randomly selected data from RAM 
is stored in the file slack. 

See alt-right. 

Type of computer-based memory that 
stores that part of the data that is currently 
being used by the computer. 

Malware that demands the operator of the 
infected system pay in order to have their 
system’s functionality restored. 

Term referencing the ability of a device to 
only view accessible data on a drive but not 
alter it in any way. 

The person must have exhibited an actual 
expectation of privacy, and the expectation 
must be one that society is prepared to 
recognize as reasonable. 

A search is constitutional if it does not 
violate a person’s reasonable and legitimate 
expectation of privacy. 


Recording Industry Association 
of America (RIAA) 


Redroom 


Regulation of Investigatory 
Powers (RIPA) 


Relevant 


Reliability 


Repeatability 


Report/presentation stage 


Reproducibility 


Revenge porn 


Right to privacy 


A trade organization that supports the 
recording industry and those businesses that 
create, manufacture, or distribute legally 
sold and recorded music within the United 
States. 

A scam operating on the Dark Web where 
individuals claim to provide access to 
horrible acts of violence against others on a 
fee-for-service basis. 

This law mandates key disclosure so 

long as law enforcement obtains signed 
authorization from a high-ranking official. 
When evidence can make the facts 
presented in a case more or less probable; 
evidence that does not tend to prove 

or disprove a presented fact in a case 

is deemed irrelevant, and therefore 
inadmissible. 

The accuracy of the evidence deemed 
relevant to a case. 

Where independent test results are obtained 
with the same method, on identical test 
items, in the same laboratory, by the same 
operator, using the same equipment within 
short intervals of time. 

The final step in the process of digital 
forensic investigation where the findings 
that are determined relevant to the 
investigation are finalized in a report. 
Where test results are obtained with 

the same method on identical test items 
in different laboratories with different 
operators using different equipment. 
Websites explicitly for individuals to post 
sexual images and videos they received 

or acquired for others to see without the 
consent of the creator. 

See Fourth Amendment. 
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Ripper 


Romance Scam or Romance 
Fraud 


Routine activity theory 


Rule 34 


Scareware 
Scientific evidence 


Scientific method 


Script kiddie 


Search 


Search and seizure 


A seller in carding markets who does not 
provide data after being paid, is slow to 
respond to customers, or sells bad data and 
does not offer to replace their products. 

A form of online fraud where the 
offender gains the emotional and romantic 
trust of their target, often through 
misrepresentation and manipulation, so as 
to obtain money from them over time. 
Cohen and Felson (1979) argued that 
direct-contact predatory victimization 
occurs with the convergence in both space 
and time of three primary components: (1) 
a motivated offender; (2) a suitable target; 
and (3) the absence of a capable guardian. 
Online meme that states that “if it exists, 
there is pornographic content of it.” 

See Ransomware. 

Information derived from the scientific 
method that is relevant to the facts of 

a case. 

A process that uses strict guidelines to 
ensure careful and systematic collection, 
organization, and analysis of information. 
A derogatory term meant to shame 
individuals by recognizing their use of 
premade scripts or tools, their lack of 
skill, and the concurrent harm that they 
may cause. 

The exploration or examination of an 
individual’s home, premises, or person 

to discover things or items that may be 
used by the government as evidence in a 
criminal proceeding. 

When law enforcement officers are 
identifying and collecting potential 


evidence to be used in the court of law. 


Search incident to arrest 


Search warrant 


Secret shopper schemes 


Section 49 request 


Sector 


Secure hash algorithm (SHA) 


Seizure 


Self-control 
Self-incrimination 


Self-incrimination clause 


Self-radicalization 


The process of searching a person who has 
been arrested for a crime. 

A document signed by a judge or 
magistrate authorizing law enforcement to 
conduct a search. 

A form of spam-enabled fraud where sellers 
pretend to operate legitimate businesses 
that are seeking employees who can 

cash checks and purchase goods with the 


proceeds. 

In the United Kingdom, a law enforcement 
mandate which requires encryption key 
disclosure so long as law enforcement obtains 
signed authorization from a high-ranking 
official using a specialized Section 49 form. 
The smallest physical storage unit on a 
computer disk drive, which is almost 
always 512 bytes. 

A common hashing algorithm created by 
the US National Security Agency that 
creates a 160-bit value for an item using a 
unique combination of hexadecimal digits. 
The exercise of control by the government 
over a person or thing because of a 
violation of the law. 

The ability to constrain one’s own behavior 
through internal regulation. 

Giving a statement that might expose 
oneself to punishment for a crime. 

In the United States, a Fifth Amendment 
rule that provides defendants with 
protection from self-incrimination. 

The process of accepting a radical, 
extremist, or terrorist ideological belief 
system through self-directed engagement 
with written materials, videos, and content, 


often found online. 
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Severity 


Sexting 


Sexual fetishes 


Shoulder surfing 


Silk Road 


Sky ECC 


Slack space 
Social engineering 


Social learning theory 


Software 


Involves the intensity of the punishment 
relative to the harm caused by the crime in 
the context of deterrence theory. 

The practice of sending photos or videos 
of individuals in provocative outfits or 
engaging in sexually suggestive activities 
through text messaging. 

The experience of sexual arousal or 
enhancement of a romantic encounter 
based on the integration of physical objects 
or certain situations. 

The act of stealing someone’s passwords 

for email accounts or access to a system by 
looking over their shoulder and watching 
their keystrokes. 

An online market developed to enable 
individuals to buy and sell narcotics through 
various mechanisms internationally. 

It garnered great attention from both 
researchers and the popular media due in 
part to the fact that transactions were paid 
using bitcoins. 

A subscription-based encrypted messaging 
application that was heavily used by 
criminal actors around the world to conceal 
their communications. 

See file slack. 

The use of tactics that try to fool or 
convince people to provide information that 
can be used to access different resources. 
Criminological theory created by Akers 
which argues that the learning process of 
any behavior, including crime, includes 
four principal components: (1) differential 
association; (2) definitions; (3) differential 
reinforcement; and (4) imitation. 

Consists of programs that include instructions 


which tell computers what to do. 


SolarWinds 


Sovereignty 


Space transition theory 


Spam 
Spamhaus 


Spear phishing 


Special Interest Group for 


Vendors (SIG Vendors) 


Stalking 


Standard of proof 


Star Wars Kid 


Steganography 


Steganography medium 


A US-based software company that was 
implicated in one of the most serious hacks 
of the US government agencies to date. 
The authority of a state to control its 
territory and populace and defend itself 
with force as needed. 

This theory created by K. Jaishankar argues 
that people behave differently while online 
than they otherwise would in physical 
space. 

Unsolicited emails sent to large groups. 

An international organization founded 

in 1998 to track the activities of email 
spammers and spam campaigns broadly. 
Well-crafted and targeted spam messages 
that target one person or a small group. 

A subgroup of FIRST that links 
respondents with software, hardware, 

and security vendors in order to handle 
emergent threats and mitigation techniques. 
The use of repeated and intense harassing 
messages that involve threats or cause the 
recipient to feel fear for their personal safety. 
A continuum of probability used to assess 
suspicions of an individual’s guilt based on 
the evidence presented. 

The name given to a video featuring a young 
boy flailing a stick around a room in a similar 
fashion to a lightsaber, which was released 

to the Internet by classmates without his 
permission and went on to become a key 
example of cyberbullying behavior. 

The practice of hiding information in 

such a way that others are not aware that a 
hidden message exists. 

The type of digital media containing a 
steganographic message, typically in video 


or picture files. 
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Stop Enabling Sex Traffickers One ofa pair of US laws passed in 2018 

Act (SESTA) that make it illegal to knowingly facilitate, 
assist, or support sex trafficking in online 
environments. 

Stop Online Piracy Act (SOPA) This legislation was designed to expand 
the capabilities of law enforcement to 
combat both digital piracy and online 
counterfeiting and would have enabled 
courts to order that websites be blocked 
in the event that they hosted or were in 
some way involved with either piracy or 


counterfeiting activities. 


Street prostitution Prostitutes who solicit individuals on the 
street. 
Streetwalker (SW) A term used to reference a street-walking 


prostitute in online forums. 

Structured phase A term given for the mid 1980s to describe 
the state of digital forensic technology, 
characterized by the harmonization 
between computer forensic procedure/ 
policy and computer crime legislation. 

Stuxnet A computer worm that was used in attacks 
against the Natanz uranium enrichment 
facility in Iran. 

Subculture Any group having differentiating values, 
norms, traditions, and rituals that set them 
apart from the dominant culture. 


Subpoena A court order requiring a person to 
appear before a grand jury or produce 
documents. 

Suitable target A variable in routine activity theory 


referring to a person or object that has traits 
making him/her attractive to the offender 
on a wide range of factors. 
Supervisory Control and Computer systems that support the 
Acquisition System (SCADA) processes within industrial systems such as 
nuclear power plants, hydroelectric dams, 
or sewage treatment plants. 
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Survey/identification stage 


Tallinn Manual 


Technicways 


Techniques of neutralization 


Territoriality 


Terror 


Testimonial 
The Hacker Ethic 


The Hacker Manifesto 


The Protection of Children Act 
1978 (PCA) 


The initial step of a digital forensic 
investigation. During this stage, law 
enforcement personnel and digital forensic 
technicians survey the physical and digital 
crime scene to identity potential sources of 
digital evidence. 

An academic study referencing the ways 
in which international laws relevant to 
conflict applies to cyberwarfare broadly. 
Term referring to the ways that behavior 
patterns change in response to, or 

as a consequence of, technological 
innovations. 

Theory created by Sykes and Matza that 
focuses on how beliefs affect the process 
of deciding to commit a delinquent or 
criminal act. This theory assumes that 
most people hold conforming beliefs, 

but may still engage in criminal behavior 
occasionally through the application of 
definitions that justify their actions. 

The ownership and control of an area or 
physical space and the contents within it. 
Planned acts of violence designed to 
promote fear or cause harm in a general 
population in support of a social agenda. 
A statement made to law enforcement. 

A series of values developed by hackers in 
the 1960s that espouse their beliefs about 
the use of technology. 

An article published in the magazine 
Phrack written by “The Mentor” that 
details his perceptions of hacking and 
rationalizing involvement in illegal hacks. 
The first UK legislation that made it illegal 
to obtain, make, distribute, or possess an 
indecent image of someone under the age 


of 18 years. 
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The Shadow Brokers 


ThinkUKnow 


Thumb drives 
Tor 


Torrent 


Trademark 
Traders 


Traffic stop 


Trailer 
Transparency 


Travelers 


Trawler 


Tricking 


A hacker group responsible for the 

illegal acquisition and release of zero-day 
vulnerabilities and hacking tools thought to 
have been stockpiled by the US NSA. 

A UK-based program designed to educate 
children and adults about threats to youth 
safety. 

See USB flash drives. 

An anonymous and encrypted network used 
by individuals to hide their physical location. 
A form of file sharing that enables easy and 
distributed access to various intellectual 
property and online content, commonly 
used to pirate materials. 

See Copyright. 

The misuse of the Internet by individuals 
who traffic in child pornography. 

Occurs when the driver of the vehicle is 
stopped because there is suspicion that a 
traffic violation has occurred or a crime is 
being committed. 

See Footer. 

Term used to describe the reporting of 
forensic evidence analysis findings that 

are detailed in such a way as to leave no 
mystery in the digital forensics process. 
The misuse of the internet by individuals 
who attempt to find children to 

molest through computer-mediated 
communications. 

A software tool used to scrape, or collect, 
content from websites. 

A form of cyberbullying that involves 
convincing individuals to provide 
personal information about themselves 

in what they think is a personal 
conversation, which is then revealed to 
the general public. 


Tricks 


Trojan 


Truant 
True threat 


Trusted platform 


Truth in Domain Names Act of 
2003 


UK Computer Misuse Act 
Unallocated space 
Unfair prejudice 


Uniform Crime Report (UCR) 


Uniform Trade Secrets Act 
(UTSA) 


United States Constitution 


A term used by sex workers to describe 
their clients or customers. 

A form of malware that appears to be a 
downloadable file or attachment that people 
would be inclined to open, that when 
opened executes some portion of its code 
and delivers its payload on the system. 

An individual who routinely skips school. 
Term used in US law to identify statements 
where the speaker means to communicate a 
serious expression of intent to commit an act 
of violence against another person or group. 
A seemingly secured software environment 
that can be used to download and upload 
materials without fear of compromise. 

A US law that makes it illegal for 
individuals to create domain names that 

are misleading or designed to directly 
expose individuals to pornographic content 
without their knowledge. 

UK law developed in the 1990s that enabled 
the prosecution of computer hacking cases. 
Space on a hard drive to which data has not 
yet been written. 

A form of prejudice that could bias or 
confuse fact finders. 

The primary US reporting mechanism used 
by law enforcement agencies to collect and 
report data on crimes made known to the 
police. 

A US act created in 1979 designed to 
standardize state laws related to the 
protection of trade secrets. 

Legal document in the United States that 
was adopted on September 17, 1787 that 
mandates all state judges to follow federal 
law in the event that conflicts arise between 
state and federal law. 
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United States Cyber Command, 
CYBERCOM 


United States Department of 


Justice (US DOJ) 


United States Secret Service 
(USSS) 


United States v. Alkhabaz 


United States v. Fricosu (2012) 


United States v. Smith (1998) 


US Postal Inspection Service 


USA PATRIOT Act 


USB flash drives 


Validity 


Vault App 


Created in 2009 by the Pentagon in order 
to manage the defense of US cyberspace 
and critical infrastructure against attacks. 
The US federal department that has the 
responsibility to “enforce the law and 
defend the interests of the United States 
according to the law.” 

The US federal law enforcement agency 
that provides protection for the President 
and foreign dignitaries and investigates 
hacking and financial crime cases. 

A major US federal court case that 
established the concept of true threats in 
the prosecution of stalking cases. 

US court case that involved a woman’s 
right to protection from self-incrimination 
on the basis of encrypted data on a laptop. 
US court case that ruled that the warrantless 
search of a cell phone seized incident to 
arrest violates the Fourth Amendment. 
The US federal agency that investigates 
child pornography and other crimes 
facilitated through the US mail. 

A US law, the Provide Appropriate Tools 
Required to Intercept and Obstruct 
Terrorism (PATRIOT) Act, was passed 
in 2001 to support law enforcement 
investigations of terrorism. 

The most common removable storage device 
for digital media that are small, lightweight, 
and can easily be transported and concealed. 
Term used to describe whether forensic 
evidence was collected and preserved in a 
manner so that an accurate conclusion can 
be drawn. 

An application used to keep media and text 
messages private through password protection 
and other obfuscation techniques. 


Vehicle System Forensics 


Verification 


Video cassette 


Video cassette recorders (VCRs) 


Violent Crimes Against Children 
International Task Force 
(VCACITF) 

Virtual Global Taskforce (VGT) 


Virtual Private Networks 
(VPNs) 


Virus 


Volatile 


Vulnerability 


Vulnerabilities Equity Process 
(VEP) 


The use of digital forensic capture and analysis 
methods against a car or other vehicle’s 
computer and infotainment systems. 
Establishes the integrity of the digital 
evidence by proving that the duplicate is 
authentic. 

A form of media utilizing magnetic tape 
that could record and store visual and audio 
content. 

A form of technology that allows 
individuals to watch and record media 
using magnetic cassette tapes. 

The largest global task force in the world 


that investigates child exploitation cases. 


Established in 2003, an alliance of agencies 
and private industry that work together in 
order to identify, investigate, and respond 
to incidents of child exploitation. 

The practice of establishing an encrypted 
and protected network connection when 
using a public internet connection to 
disguise an individual’s online identity and 
minimize tracking of their online identity. 
One of the oldest forms of malware that 
cannot be activated or execute its payload 
without some user intervention, such as 
opening a file or clicking on an attachment. 
Term referring to the potential for data loss 
when a computer is powered off. 

Flaws in computer software, hardware, or 
people (in the case of social engineering 
or committing risky activities which open 
oneself to victimization). 

The process implemented within the US 
government to determine how to handle 
zero-day vulnerabilities and their use, 
particularly their disclosure to the public. 
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Wannabe 


WannaCry 


Warez 


Warez doodz 


Warrant 


Warrants clause 


Wearable devices 


Web defacement 


Welcome to the Game 


White-hat hacker 


White power 


Wiping 


A reference to noobs or script kiddies, 
referencing their limited capacity and skills. 
A form of ransomware that is thought to 
have originated from North Korea as a 
means to generate funds for the country. 
Pirated software and intellectual property 
that was commonly used by hackers in the 
1980s. 

Individuals who posted and shared 
programs. 

A signed document issued by a judge or 
magistrate that authorizes a specific course 
of action for law enforcement. 

The second clause of the Fourth 
Amendment indicating that a warrant 

or signed document issued by a judge or 
magistrate authorizes a specific course of 
action. 

Any sort of Internet-enabled device that 
can be worn by a person, such as a watch 
or pair of glasses. 

An act of online vandalism wherein an 
individual replaces the existing HTML 
code for a web page with an image and 
message that they create. 

A video game where the player moves 
throughout a Dark Web environment in 
order to see redroom content. 

A type of hacker with some skill who 
works to find errors in computer systems and 


programs to benefit general computer security. 
A term often associated with white 
supremacist groups like the Ku Klux Klan 
and other religious or ideologically based 
groups with an emphasis on the purity and 
separation of the white race. 

The process of cleaning a digital storage 
device to ensure that there are no remnants 


of data present. 


Wire fraud 


Work-at-home schemes 


World Intellectual Property 
Organization (WIPO) 
Worms 


Write 


Write blocker 


Zeus Trojan 


Zoombombing 


Fraud committed through the use of 
electronic communication. 

A form of spam-enabled fraud where the 
seller promises recipients substantial earnings 
for just a few hours of work per day. 

An international agency designed to 
support intellectual property rights. 

A unique form of malware that can 
spread autonomously, though it does not 
necessarily have a payload. 

The process of altering or modifying data 
on a hard drive. 

A device that allows read-only access to 
all accessible data on a drive, as well as 
prevents anything from being written to 
the original drive, which would alter or 
modify the original evidence. 

A form of malware that targets Microsoft 
Windows systems and is often sent through 
spam messages and phishing campaigns. 
The practice of joining a zoom session or 
other online conference call in order to 
cause harm by disrupting the proceedings, 
often as a means to troll the participants. 
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Taylor & Francis 
Taylor & Francis Group 


http://taylorandfrancis.com 
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